CVE-2023-25809

2023-03-2919:15:22

CWE-281

GitHub_M

web.nvd.nist.gov

122

runc

cli tool

containers

oci

security vulnerability

cve

unauthorized access

cgroup namespace

upgrade

cgroup v2

maskedpaths

CVSS3

6.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

AI Score

6.7

Confidence

High

EPSS

Percentile

9.0%

JSON

runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes /sys/fs/cgroup writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g…, (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host . Other users’s cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add /sys/fs/cgroup to maskedPaths.

Affected configurations

Nvd

Vulners

Node

linuxfoundationruncRange<1.1.5

VendorProductVersionCPE
linuxfoundationrunc*cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linuxfoundation	runc	*	cpe:2.3:a:linuxfoundation:runc::::::::

CNA Affected

[
  {
    "vendor": "opencontainers",
    "product": "runc",
    "versions": [
      {
        "version": "< 1.1.5",
        "status": "affected"
      }
    ]
  }
]