AppArmor Restriction Bypass in Docker and runc
CVE-2019-16884

7.5HIGH

Key Information:

Vendor
Linux
Status
Runc
Vendor
CVE Published:
25 September 2019

Summary

A vulnerability in runc, used by Docker, allows attackers to bypass AppArmor restrictions due to incorrect checks on mount targets in libcontainer/rootfs_linux.go. This flaw enables malicious Docker images to potentially mount over the crucial /proc directory, exposing sensitive information or compromising system security. Users of affected Docker versions should update to mitigate this risk.

References

https://github.com/opencontainers/runc/issues/2128
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.