Incorrect Access Control in runc Affects Container Security
CVE-2019-19921

7HIGH

Key Information:

Vendor: Linux
Status: Runc
Vendor: CVE Published:; 12 February 2020

Summary

The runc container runtime prior to version 1.0.0-rc10 is susceptible to an Incorrect Access Control flaw that can result in Privilege Escalation. Attackers can exploit this vulnerability by spawning two containers with custom volume-mount configurations and executing custom images. This poses a risk as it allows unauthorized access to resources and potential manipulation of the container environment. However, Docker is unaffected due to an implementation detail that mitigates the exploit.

References

https://github.com/opencontainers/runc/releases

https://security-tracker.debian.org/tracker/CVE-2019-19921

https://github.com/opencontainers/runc/issues/2197

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 12, 2020
Vulnerability Reserved
Dec 22, 2019