CVE-2019-19921

EUVD-2021-1060
runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Affected Products (NVD)
VendorProductVersion
linuxfoundationrunc
𝑥
≤ 0.1.1
linuxfoundationrunc
1.0.0:rc1
linuxfoundationrunc
1.0.0:rc2
linuxfoundationrunc
1.0.0:rc3
linuxfoundationrunc
1.0.0:rc4
linuxfoundationrunc
1.0.0:rc5
linuxfoundationrunc
1.0.0:rc6
linuxfoundationrunc
1.0.0:rc7
linuxfoundationrunc
1.0.0:rc8
linuxfoundationrunc
1.0.0:rc9
debiandebian_linux
9.0
debiandebian_linux
10.0
opensuseleap
15.1
canonicalubuntu_linux
18.04
canonicalubuntu_linux
19.10
redhatopenshift_container_platform
4.1
redhatopenshift_container_platform
4.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
runc
bookworm
1.1.5+ds1-1+deb12u1
fixed
bookworm (security)
1.1.5+ds1-1+deb12u1
fixed
bullseye
1.0.0~rc93+ds1-5+deb11u5
fixed
bullseye (security)
1.0.0~rc93+ds1-5+deb11u3
fixed
sid
1.1.15+ds1-1
fixed
stretch
no-dsa
trixie
1.1.12+ds1-5.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
runc
bionic
Fixed 1.0.0~rc10-0ubuntu1~18.04.2
released
disco
ignored
eoan
Fixed 1.0.0~rc10-0ubuntu1~19.10.2
released
focal
Fixed 1.0.0~rc10-0ubuntu1
released
groovy
Fixed 1.0.0~rc10-0ubuntu1
released
hirsute
Fixed 1.0.0~rc10-0ubuntu1
released
impish
Fixed 1.0.0~rc10-0ubuntu1
released
jammy
Fixed 1.0.0~rc10-0ubuntu1
released
kinetic
Fixed 1.0.0~rc10-0ubuntu1
released
lunar
Fixed 1.0.0~rc10-0ubuntu1
released
trusty
dne
xenial
Fixed 1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm4
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
https://access.redhat.com/errata/RHSA-2020:0688
https://access.redhat.com/errata/RHSA-2020:0695
https://github.com/opencontainers/runc/issues/2197
https://github.com/opencontainers/runc/pull/2190
https://github.com/opencontainers/runc/releases
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/
https://security-tracker.debian.org/tracker/CVE-2019-19921
https://security.gentoo.org/glsa/202003-21
https://usn.ubuntu.com/4297-1/
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
https://access.redhat.com/errata/RHSA-2020:0688
https://access.redhat.com/errata/RHSA-2020:0695
https://github.com/opencontainers/runc/issues/2197
https://github.com/opencontainers/runc/pull/2190
https://github.com/opencontainers/runc/releases
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/
https://security-tracker.debian.org/tracker/CVE-2019-19921
https://security.gentoo.org/glsa/202003-21
https://usn.ubuntu.com/4297-1/