CVE-2023-27561

Name
CVE-2023-27561
Description
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/opencontainers/runc/issues/3751
MISC https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9
MISC https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:* runc >= None <= 1.1.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
runc edge-community 1.1.4-r7 Jake Buchholz Göktürk <tomalok@gmail.com> fixed
runc 3.17-community 1.1.4-r6 Jake Buchholz Göktürk <tomalok@gmail.com> fixed