CVE-2019-19921

7HIGH

Key Information:

Vendor: Linux
Status: Runc
Vendor: CVE Published:; 12 February 2020

Summary

runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)

References

https://github.com/opencontainers/runc/releases

https://security-tracker.debian.org/tracker/CVE-2019-19921

https://github.com/opencontainers/runc/issues/2197

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 12, 2020
Vulnerability Reserved
Dec 22, 2019