Privilege Escalation Vulnerability in runc from OpenContainers
CVE-2023-27561

7HIGH

Key Information:

Vendor: Linux
Status: Runc
Vendor: CVE Published:; 3 March 2023

Summary

The runc container runtime, specifically versions up to 1.1.4, exhibits a vulnerability characterized by incorrect access control that can potentially allow an attacker to escalate privileges. This issue arises when an attacker can create two containers with custom volume-mount configurations alongside the ability to execute custom images. The vulnerability also stems from a regression related to CVE-2019-19921, highlighting the need for careful configuration management in containerized environments.

References

https://github.com/opencontainers/runc/issues/3751

https://github.com/opencontainers/runc/issues/2197#issuec...

https://gist.github.com/LiveOverflow/c937820b688922eb127f...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 3, 2023
Vulnerability Reserved
Mar 3, 2023