Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1052233?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1052233?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc6%2Bdfsg1-2", "type": "deb", "namespace": "debian", "name": "runc", "version": "1.0.0~rc6+dfsg1-2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.0.3+ds1-1", "latest_non_vulnerable_version": "1.3.3+ds1-2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37329?format=api", "vulnerability_id": "VCID-3m4n-58pj-mkeb", "summary": "Multiple vulnerabilities have been discovered in runc, the worst of which could lead to privilege escalation.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29162.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29162.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29162", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31636", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.32074", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.32114", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31935", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31986", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.32015", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.32018", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31979", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31945", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31957", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31931", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00127", "scoring_system": "epss", "scoring_elements": "0.31763", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29162" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29162", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29162" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/opencontainers/runc/commit/d04de3a9b72d7a2455c1885fc75eb36d02cd17b5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:31Z/" } ], "url": "https://github.com/opencontainers/runc/commit/d04de3a9b72d7a2455c1885fc75eb36d02cd17b5" }, { "reference_url": "https://github.com/opencontainers/runc/releases/tag/v1.1.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:31Z/" } ], "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.2" }, { "reference_url": "https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:31Z/" } ], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:31Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2Y", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2Y" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29162", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29162" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2086398", "reference_id": "2086398", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2086398" }, { "reference_url": "https://security.archlinux.org/AVG-2707", "reference_id": "AVG-2707", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2707" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB/", "reference_id": "AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:31Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND/", "reference_id": "D77CKD3AXPMU4PMQIQI5Q74SI4JATNND", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:31Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND/" }, { "reference_url": "https://security.gentoo.org/glsa/202408-25", "reference_id": "GLSA-202408-25", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202408-25" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2Y/", "reference_id": "GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2Y", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:31Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2Y/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5068", "reference_id": "RHSA-2022:5068", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5068" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7457", "reference_id": "RHSA-2022:7457", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7457" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7469", "reference_id": "RHSA-2022:7469", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7469" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8090", "reference_id": "RHSA-2022:8090", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8090" }, { "reference_url": "https://usn.ubuntu.com/6088-2/", "reference_id": "USN-6088-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1052236?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3yvf-q4uj-dbdh" }, { "vulnerability": "VCID-jc1e-8tt4-xqdn" }, { "vulnerability": "VCID-seds-dzew-jyfs" }, { "vulnerability": "VCID-tsgr-5mwt-jkeh" }, { "vulnerability": "VCID-v2ys-xbn5-guh4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u2" } ], "aliases": [ "CVE-2022-29162", "GHSA-f3fp-gc8g-vw66" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3m4n-58pj-mkeb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37083?format=api", "vulnerability_id": "VCID-3yvf-q4uj-dbdh", "summary": "Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC\n### Impact\n\nIn runc, [netlink](https://www.man7.org/linux/man-pages/man7/netlink.7.html) is used internally as a serialization system for specifying the relevant container configuration to the C portion of our code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration.\n\nThis vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces.\n\nPrior to 9c444070ec7bb83995dbc0185da68284da71c554, in practice it was fairly difficult to specify an arbitrary-length netlink message with most container runtimes. The only user-controlled byte array was the namespace paths attributes which can be specified in runc's `config.json`, but as far as we can tell no container runtime gives raw access to that configuration setting -- and having raw access to that setting **would allow the attacker to disable namespace protections entirely anyway** (setting them to `/proc/1/ns/...` for instance). In addition, each namespace path is limited to 4096 bytes (with only 7 namespaces supported by runc at the moment) meaning that even with custom namespace paths it appears an attacker still cannot shove enough bytes into the netlink bytemsg in order to overflow the uint16 counter.\n\nHowever, out of an abundance of caution (given how old this bug is) we decided to treat it as a potentially exploitable vulnerability with a low severity. After 9c444070ec7bb83995dbc0185da68284da71c554 (which was not present in any release of runc prior to the discovery of this bug), all mount paths are included as a giant netlink message which means that this bug becomes significantly more exploitable in more reasonable threat scenarios.\n\nThe main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure), though as mentioned above it appears this bug was not practically exploitable on any released version of runc to date.\n\n### Patches\nThe patch for this is d72d057ba794164c3cce9451a00b72a78b25e1ae and runc 1.0.3 was released with this bug fixed.\n\n### Workarounds\nTo the extent this is exploitable, disallowing untrusted namespace paths in container configuration should eliminate all practical ways of exploiting this bug. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.\n\n### References\n* commit d72d057ba794 (\"runc init: avoid netlink message length overflows\")\n* https://bugs.chromium.org/p/project-zero/issues/detail?id=2241\n\n### Credits\nThanks to Felix Wilhelm from Google Project Zero for discovering and reporting this vulnerability. In particular, the fact they found this vulnerability so quickly, before we made a 1.1 release of runc (which would've been vulnerable) was quite impressive.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [our repo](https://github.com/opencontainers/runc)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43784.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43784.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.29842", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.29958", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30027", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30072", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30168", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30078", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30128", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30171", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30175", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30132", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30073", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30255", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30206", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30093", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43784" }, { "reference_url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43784", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43784" }, { "reference_url": "https://github.com/opencontainers/runc", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc" }, { "reference_url": "https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554" }, { "reference_url": "https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae" }, { "reference_url": "https://github.com/opencontainers/runc/commit/dde509df4e28cec33b3c99c6cda3d4fd5beafc77", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/commit/dde509df4e28cec33b3c99c6cda3d4fd5beafc77" }, { "reference_url": "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed" }, { "reference_url": "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43784", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43784" }, { "reference_url": "https://pkg.go.dev/vuln/GO-2022-0274", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pkg.go.dev/vuln/GO-2022-0274" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2029439", "reference_id": "2029439", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2029439" }, { "reference_url": "https://security.archlinux.org/AVG-2599", "reference_id": "AVG-2599", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2599" }, { "reference_url": "https://security.gentoo.org/glsa/202408-25", "reference_id": "GLSA-202408-25", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202408-25" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6380", "reference_id": "RHSA-2023:6380", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6380" }, { "reference_url": "https://usn.ubuntu.com/6088-2/", "reference_id": "USN-6088-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994646?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" }, { "vulnerability": "VCID-x2zb-mehm-ebge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u5" } ], "aliases": [ "CVE-2021-43784", "GHSA-v95c-p5hm-xq8f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3yvf-q4uj-dbdh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39636?format=api", "vulnerability_id": "VCID-997v-f2ds-e3e4", "summary": "Multiple vulnerabilities have been discovered in runC, the worst of\n which may lead to privilege escalation.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2020:0688", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://access.redhat.com/errata/RHSA-2020:0688" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2020:0695", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://access.redhat.com/errata/RHSA-2020:0695" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19921.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19921.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19921", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31625", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.32005", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31976", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31924", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.32102", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.32062", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31934", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31922", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31752", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31948", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31935", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.31969", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00126", "scoring_system": "epss", "scoring_elements": "0.32008", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19921" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19921", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19921" }, { "reference_url": "https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0" }, { "reference_url": "https://github.com/opencontainers/runc/issues/2197", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/issues/2197" }, { "reference_url": "https://github.com/opencontainers/runc/pull/2190", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/pull/2190" }, { "reference_url": "https://github.com/opencontainers/runc/pull/2207", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/pull/2207" }, { "reference_url": "https://github.com/opencontainers/runc/releases", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/releases" }, { "reference_url": "https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19921", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19921" }, { "reference_url": "https://pkg.go.dev/vuln/GO-2021-0087", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pkg.go.dev/vuln/GO-2021-0087" }, { "reference_url": "https://security-tracker.debian.org/tracker/CVE-2019-19921", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security-tracker.debian.org/tracker/CVE-2019-19921" }, { "reference_url": "https://usn.ubuntu.com/4297-1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://usn.ubuntu.com/4297-1" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796107", "reference_id": "1796107", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796107" }, { "reference_url": "https://security.gentoo.org/glsa/202003-21", "reference_id": "GLSA-202003-21", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202003-21" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2020:0942", "reference_id": "RHSA-2020:0942", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2020:0942" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2020:1485", "reference_id": "RHSA-2020:1485", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2020:1485" }, { "reference_url": "https://usn.ubuntu.com/4297-1/", "reference_id": "USN-4297-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4297-1/" }, { "reference_url": "https://usn.ubuntu.com/6088-2/", "reference_id": "USN-6088-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1052235?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3m4n-58pj-mkeb" }, { "vulnerability": "VCID-3yvf-q4uj-dbdh" }, { "vulnerability": "VCID-jc1e-8tt4-xqdn" }, { "vulnerability": "VCID-seds-dzew-jyfs" }, { "vulnerability": "VCID-tsgr-5mwt-jkeh" }, { "vulnerability": "VCID-v2ys-xbn5-guh4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5" } ], "aliases": [ "CVE-2019-19921", "GHSA-fh74-hm69-rqjw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-997v-f2ds-e3e4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47806?format=api", "vulnerability_id": "VCID-9mdg-3961-cybf", "summary": "mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs\n### Summary\n\nrunc 1.0.0-rc94 and earlier are vulnerable to a symlink exchange attack whereby\nan attacker can request a seemingly-innocuous container configuration that\nactually results in the host filesystem being bind-mounted into the container\n(allowing for a container escape). CVE-2021-30465 has been assigned for this\nissue.\n\nAn attacker must have the ability to start containers using some kind of custom\nvolume configuration, and while recommended container hardening mechanisms such\nas LSMs (AppArmor/SELinux) and user namespaces will restrict the amount of\ndamage an attacker could do, they do not block this attack outright. We have a\nreproducer using Kubernetes (and the below description mentions\nKubernetes-specific paths), but this is not a Kubernetes-specific issue.\n\nThe now-released [runc v1.0.0-rc95][release] contains a fix for this issue, we\nrecommend users update as soon as possible.\n\n[release]: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95\n\n### Details\n\nIn circumstances where a container is being started, and runc is mounting\ninside a volume shared with another container (which is conducting a\nsymlink-exchange attack), runc can be tricked into mounting outside of the\ncontainer rootfs by swapping the target of a mount with a symlink due to a\ntime-of-check-to-time-of-use (TOCTTOU) flaw. This is fairly similar in style to\nprevious TOCTTOU attacks (and is a problem we are working on solving with\nlibpathrs).\n\nHowever, this alone is not useful because this happens inside a mount namespace\nwith `MS_SLAVE` propagation applied to `/` (meaning that the mount doesn't\nappear on the host -- it's only a \"host-side mount\" inside the container's\nnamespace). To exploit this, you must have additional mount entries in the\nconfiguration that use some subpath of the mounted-over host path as a source\nfor a subsequent mount.\n\nHowever, it turns out with some container orchestrators (such as Kubernetes --\nthough it is very likely that other downstream users of runc could have similar\nbehaviour be accessible to untrusted users), the existence of additional volume\nmanagement infrastructure allows this attack to be applied to gain access to\nthe host filesystem without requiring the attacker to have completely arbitrary\ncontrol over container configuration.\n\nIn the case of Kubernetes, this is exploitable by creating a symlink in a\nvolume to the top-level (well-known) directory where volumes are sourced from\n(for instance,\n`/var/lib/kubelet/pods/$MY_POD_UID/volumes/kubernetes.io~empty-dir`), and then\nusing that symlink as the target of a mount. The source of the mount is an\nattacker controlled directory, and thus the source directory from which\nsubsequent mounts will occur is an attacker-controlled directory. Thus the\nattacker can first place a symlink to `/` in their malicious source directory\nwith the name of a volume, and a subsequent mount in the container will\nbind-mount `/` into the container.\n\nApplying this attack requires the attacker to start containers with a slightly\npeculiar volume configuration (though not explicitly malicious-looking such as\nbind-mounting `/` into the container explicitly), and be able to run malicious\ncode in a container that shares volumes with said volume configuration. It\nhelps the attacker if the host paths used for volume management are well known,\nthough this is not a hard requirement.\n\n### Patches\nThis has been patched in runc 1.0.0-rc95, and users should upgrade as soon as\npossible. The patch itself can be found [here](https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f).\n\n### Workarounds\n\nThere are no known workarounds for this issue.\n\nHowever, users who enforce running containers with more confined security\nprofiles (such as reduced capabilities, not running code as root in the\ncontainer, user namespaces, AppArmor/SELinux, and seccomp) will restrict what\nan attacker can do in the case of a container breakout -- we recommend users\nmake use of strict security profiles if possible (most notably user namespaces\n-- which can massively restrict the impact a container breakout can have on the\nhost system).\n\n### References\n* [commit](https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f)\n* [seclists public disclosure](https://www.openwall.com/lists/oss-security/2021/05/19/2)\n\n### Credit\n\nThanks to Etienne Champetier for discovering and disclosing this vulnerability,\nto Noah Meyerhans for writing the first draft of this patch, and to Samuel Karp\nfor testing it.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [our issue tracker](https://github.com/opencontainers/runc/issues).\n* Email us at <security@opencontainers.org>.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30465.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30465.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30465", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01473", "scoring_system": "epss", "scoring_elements": "0.80881", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.01473", "scoring_system": "epss", "scoring_elements": "0.80913", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01473", "scoring_system": "epss", "scoring_elements": "0.8089", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.02175", "scoring_system": "epss", "scoring_elements": "0.84357", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.02175", "scoring_system": "epss", "scoring_elements": "0.84392", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.02175", "scoring_system": "epss", "scoring_elements": "0.84383", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.02175", "scoring_system": "epss", "scoring_elements": "0.84354", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.02175", "scoring_system": "epss", "scoring_elements": "0.84353", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.84902", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.8492", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.84879", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.84926", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.84909", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.84927", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30465" }, { "reference_url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1185405", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1185405" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30465", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30465" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f" }, { "reference_url": "https://github.com/opencontainers/runc/releases", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/releases" }, { "reference_url": "https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HOARVIT47RULTTFWAU7XBG4WY6TDDHV", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HOARVIT47RULTTFWAU7XBG4WY6TDDHV" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30465", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30465" }, { "reference_url": "https://security.gentoo.org/glsa/202107-26", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202107-26" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20210708-0003", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20210708-0003" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/19/2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2021/05/19/2" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954736", "reference_id": "1954736", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954736" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988768", "reference_id": "988768", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988768" }, { "reference_url": "https://security.archlinux.org/ASA-202105-17", "reference_id": "ASA-202105-17", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202105-17" }, { "reference_url": "https://security.archlinux.org/AVG-1972", "reference_id": "AVG-1972", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1972" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:1562", "reference_id": "RHSA-2021:1562", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:1562" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:1566", "reference_id": "RHSA-2021:1566", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:1566" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2057", "reference_id": "RHSA-2021:2057", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2057" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2144", "reference_id": "RHSA-2021:2144", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2144" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2145", "reference_id": "RHSA-2021:2145", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2145" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2150", "reference_id": "RHSA-2021:2150", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2150" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2291", "reference_id": "RHSA-2021:2291", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2291" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2292", "reference_id": "RHSA-2021:2292", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2292" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2370", "reference_id": "RHSA-2021:2370", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2370" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2371", "reference_id": "RHSA-2021:2371", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2371" }, { "reference_url": "https://usn.ubuntu.com/4960-1/", "reference_id": "USN-4960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4960-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-4867-1/", "reference_id": "USN-USN-4867-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-4867-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1052235?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3m4n-58pj-mkeb" }, { "vulnerability": "VCID-3yvf-q4uj-dbdh" }, { "vulnerability": "VCID-jc1e-8tt4-xqdn" }, { "vulnerability": "VCID-seds-dzew-jyfs" }, { "vulnerability": "VCID-tsgr-5mwt-jkeh" }, { "vulnerability": "VCID-v2ys-xbn5-guh4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5" } ], "aliases": [ "CVE-2021-30465", "GHSA-c3xm-pvg7-gh7r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9mdg-3961-cybf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31817?format=api", "vulnerability_id": "VCID-jc1e-8tt4-xqdn", "summary": "Opencontainers runc Incorrect Authorization vulnerability\nrunc 1.0.0-rc95 through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to `libcontainer/rootfs_linux.go`. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27561.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27561.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-27561", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.34767", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.34785", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.35018", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.35064", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.35079", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.3504", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.35065", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.35099", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.35095", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.35069", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.35025", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.35147", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.35118", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-27561" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27561", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27561" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T04:00:21Z/" } ], "url": "https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9" }, { "reference_url": "https://github.com/opencontainers/runc", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc" }, { "reference_url": "https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T04:00:21Z/" } ], "url": "https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334" }, { "reference_url": "https://github.com/opencontainers/runc/issues/3751", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T04:00:21Z/" } ], "url": "https://github.com/opencontainers/runc/issues/3751" }, { "reference_url": "https://github.com/opencontainers/runc/pull/3785", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/pull/3785" }, { "reference_url": "https://github.com/opencontainers/runc/releases/tag/v1.1.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.5" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T04:00:21Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27561", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27561" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20241206-0004", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20241206-0004" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033520", "reference_id": "1033520", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033520" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2175721", "reference_id": "2175721", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2175721" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/", "reference_id": "ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T04:00:21Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/", "reference_id": "DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T04:00:21Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/", "reference_id": "FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T04:00:21Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/", "reference_id": "FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T04:00:21Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/" }, { "reference_url": "https://security.gentoo.org/glsa/202408-25", "reference_id": "GLSA-202408-25", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202408-25" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/", "reference_id": "I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-26T04:00:21Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1326", "reference_id": "RHSA-2023:1326", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1326" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3612", "reference_id": "RHSA-2023:3612", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3612" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:5006", "reference_id": "RHSA-2023:5006", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:5006" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6380", "reference_id": "RHSA-2023:6380", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6380" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6938", "reference_id": "RHSA-2023:6938", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6938" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6939", "reference_id": "RHSA-2023:6939", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6939" }, { "reference_url": "https://usn.ubuntu.com/6088-1/", "reference_id": "USN-6088-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-1/" }, { "reference_url": "https://usn.ubuntu.com/6088-2/", "reference_id": "USN-6088-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994646?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" }, { "vulnerability": "VCID-x2zb-mehm-ebge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u5" } ], "aliases": [ "CVE-2023-27561", "GHSA-vpvm-3wq2-2wvm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jc1e-8tt4-xqdn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/31360?format=api", "vulnerability_id": "VCID-seds-dzew-jyfs", "summary": "runc AppArmor bypass with symlinked /proc\n### Impact\nIt was found that AppArmor, and potentially SELinux, can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration.\n\n### Patches\nFixed in runc v1.1.5, by prohibiting symlinked `/proc`: https://github.com/opencontainers/runc/pull/3785\n\nThis PR fixes CVE-2023-27561 as well.\n\n### Workarounds\nAvoid using an untrusted container image.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28642.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28642.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28642", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01328", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01815", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01825", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.0174", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01739", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.0175", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01752", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01762", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01755", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01811", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01767", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01759", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28642" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28642", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28642" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/opencontainers/runc", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc" }, { "reference_url": "https://github.com/opencontainers/runc/pull/3785", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T16:02:47Z/" } ], "url": "https://github.com/opencontainers/runc/pull/3785" }, { "reference_url": "https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T16:02:47Z/" } ], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28642", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28642" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20241206-0005", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20241206-0005" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182883", "reference_id": "2182883", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182883" }, { "reference_url": "https://security.gentoo.org/glsa/202408-25", "reference_id": "GLSA-202408-25", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202408-25" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1326", "reference_id": "RHSA-2023:1326", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1326" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6380", "reference_id": "RHSA-2023:6380", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6380" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6938", "reference_id": "RHSA-2023:6938", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6938" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6939", "reference_id": "RHSA-2023:6939", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6939" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0564", "reference_id": "RHSA-2024:0564", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0564" }, { "reference_url": "https://usn.ubuntu.com/6088-1/", "reference_id": "USN-6088-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-1/" }, { "reference_url": "https://usn.ubuntu.com/6088-2/", "reference_id": "USN-6088-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994646?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" }, { "vulnerability": "VCID-x2zb-mehm-ebge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u5" } ], "aliases": [ "CVE-2023-28642", "GHSA-g2j6-57v7-gm8c" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "7.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-seds-dzew-jyfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14393?format=api", "vulnerability_id": "VCID-tsgr-5mwt-jkeh", "summary": "runc vulnerable to container breakout through process.cwd trickery and leaked fds\n### Impact\n\nIn runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from `runc exec`) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (\"attack 2\"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through `runc run` (\"attack 1\"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (\"attack 3a\" and \"attack 3b\").\n\nStrictly speaking, while attack 3a is the most severe from a CVSS perspective, attacks 2 and 3b are arguably more dangerous in practice because they allow for a breakout from inside a container as opposed to requiring a user execute a malicious image. The reason attacks 1 and 3a are scored higher is because being able to socially engineer users is treated as a given for UI:R vectors, despite attacks 2 and 3b requiring far more minimal user interaction (just reasonable `runc exec` operations on a container the attacker has access to). In any case, all four attacks can lead to full control of the host system.\n\n#### Attack 1: `process.cwd` \"mis-configuration\"\n\nIn runc 1.1.11 and earlier, several file descriptors were inadvertently leaked internally within runc into `runc init`, including a handle to the host's `/sys/fs/cgroup` (this leak was added in v1.0.0-rc93). If the container was configured to have `process.cwd` set to `/proc/self/fd/7/` (the actual fd can change depending on file opening order in `runc`), the resulting pid1 process will have a working directory in the host mount namespace and thus the spawned process can access the entire host filesystem. This alone is not an exploit against runc, however a malicious image could make any innocuous-looking non-`/` path a symlink to `/proc/self/fd/7/` and thus trick a user into starting a container whose binary has access to the host filesystem.\n\nFurthermore, prior to runc 1.1.12, runc also did not verify that the final working directory was inside the container's mount namespace after calling `chdir(2)` (as we have already joined the container namespace, it was incorrectly assumed there would be no way to chdir outside the container after `pivot_root(2)`).\n\nThe CVSS score for this attack is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (8.2, high severity).\n\nNote that this attack requires a privileged user to be tricked into running a malicious container image. It should be noted that when using higher-level runtimes (such as Docker or Kubernetes), this exploit can be considered critical as it can be done remotely by anyone with the rights to start a container image (and can be exploited from within Dockerfiles using `ONBUILD` in the case of Docker).\n\n#### Attack 2: `runc exec` container breakout\n\n(This is a modification of attack 1, constructed to allow for a process inside a container to break out.)\n\nThe same fd leak and lack of verification of the working directory in attack 1 also apply to `runc exec`. If a malicious process inside the container knows that some administrative process will call `runc exec` with the `--cwd` argument and a given path, in most cases they can replace that path with a symlink to `/proc/self/fd/7/`. Once the container process has executed the container binary, `PR_SET_DUMPABLE` protections no longer apply and the attacker can open `/proc/$exec_pid/cwd` to get access to the host filesystem.\n\n`runc exec` defaults to a cwd of `/` (which cannot be replaced with a symlink), so this attack depends on the attacker getting a user (or some administrative process) to use `--cwd` and figuring out what path the target working directory is. Note that if the target working directory is a parent of the program binary being executed, the attacker might be unable to replace the path with a symlink (the `execve` will fail in most cases, unless the host filesystem layout specifically matches the container layout in specific ways and the attacker knows which binary the `runc exec` is executing).\n\nThe CVSS score for this attack is CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N (7.2, high severity).\n\n#### Attacks 3a and 3b: `process.args` host binary overwrite attack\n\n(These are modifications of attacks 1 and 2, constructed to overwrite a host binary by using `execve` to bring a magic-link reference into the container.)\n\nAttacks 1 and 2 can be adapted to overwrite a host binary by using a path like `/proc/self/fd/7/../../../bin/bash` as the `process.args` binary argument, causing a host binary to be executed by a container process. The `/proc/$pid/exe` handle can then be used to overwrite the host binary, as seen in CVE-2019-5736 (note that the same `#!` trick can be used to avoid detection as an attacker). As the overwritten binary could be something like `/bin/bash`, as soon as a privileged user executes the target binary on the host, the attacker can pivot to gain full access to the host.\n\nFor the purposes of CVSS scoring:\n\n* Attack 3a is attack 1 but adapted to overwrite a host binary, where a malicious image is set up to execute `/proc/self/fd/7/../../../bin/bash` and run a shell script that overwrites `/proc/self/exe`, overwriting the host copy of `/bin/bash`. The CVSS score for this attack is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (8.6, high severity).\n* Attack 3b is attack 2 but adapted to overwrite a host binary, where the malicious container process overwrites all of the possible `runc exec` target binaries inside the container (such as `/bin/bash`) such that a host target binary is executed and then the container process opens `/proc/$pid/exe` to get access to the host binary and overwrite it. The CVSS score for this attack is CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (8.2, high severity).\n\nAs mentioned in attack 1, while 3b is scored lower it is more dangerous in practice as it doesn't require a user to run a malicious image.\n\n### Patches\nrunc 1.1.12 has been released, and includes patches for this issue. Note that there are four separate fixes applied:\n\n* Checking that the working directory is actually inside the container by checking whether `os.Getwd` returns `ENOENT` (Linux provides a way of detecting if cwd is outside the current namespace root). This explicitly blocks runc from executing a container process when inside a non-container path and thus eliminates attacks 1 and 2 even in the case of fd leaks.\n* Close all internal runc file descriptors in the final stage of `runc init`, right before `execve`. This ensures that internal file descriptors cannot be used as an argument to `execve` and thus eliminates attacks 3a and 3b, even in the case of fd leaks. This requires hooking into some Go runtime internals to make sure we don't close critical Go internal file descriptors.\n* Fixing the specific fd leaks that made these bug exploitable (mark `/sys/fs/cgroup` as `O_CLOEXEC` and backport a fix for some `*os.File` leaks).\n* In order to protect against future `runc init` file descriptor leaks, mark all non-stdio files as `O_CLOEXEC` before executing `runc init`.\n\n### Other Runtimes\n\nWe have discovered that several other container runtimes are either potentially vulnerable to similar attacks, or do not have sufficient protection against attacks of this nature. We recommend other container runtime authors look at [our patches](#Patches) and make sure they at least add a `getcwd() != ENOENT` check as well as consider whether `close_range(3, UINT_MAX, CLOSE_RANGE_CLOEXEC)` before executing their equivalent of `runc init` is appropriate.\n\n * crun 1.12 does not leak any useful file descriptors into the `runc init`-equivalent process (so this attack is _not exploitable_ as far as we can tell), but no care is taken to make sure all non-stdio files are `O_CLOEXEC` and there is no check after `chdir(2)` to ensure the working directory is inside the container. If a file descriptor happened to be leaked in the future, this could be exploitable. In addition, any file descriptors passed to `crun` are not closed until the container process is executed, meaning that easily-overlooked programming errors by users of `crun` can lead to these attacks becoming exploitable.\n * youki 0.3.1 does not leak any useful file descriptors into the `runc init`-equivalent process (so this attack is _not exploitable_ as far as we can tell) however this appears to be pure luck. `youki` does leak a directory file descriptor from the host mount namespace, but it just so happens that the directory is the rootfs of the container (which then gets `pivot_root`'d into and so ends up as a in-root path thanks to `chroot_fs_refs`). In addition, no care is taken to make sure all non-stdio files are `O_CLOEXEC` and there is no check after `chdir(2)` to ensure the working directory is inside the container. If a file descriptor happened to be leaked in the future, this could be exploitable. In addition, any file descriptors passed to `youki` are not closed until the container process is executed, meaning that easily-overlooked programming errors by users of `youki` can lead to these attacks becoming exploitable.\n * LXC 5.0.3 does not appear to leak any useful file descriptors, and they have comments noting the importance of not leaking file descriptors in `lxc-attach`. However, they don't seem to have any proactive protection against file descriptor leaks at the point of `chdir` such as using `close_range(...)` (they do have RAII-like `__do_fclose` closers but those don't necessarily stop all leaks in this context) nor do they have any check after `chdir(2)` to ensure the working directory is inside the container. Unfortunately it seems they cannot use `CLOSE_RANGE_CLOEXEC` because they don't need to re-exec themselves.\n\n### Workarounds\nFor attacks 1 and 2, only permit containers (and `runc exec`) to use a `process.cwd` of `/`. It is not possible for `/` to be replaced with a symlink (the path is resolved from within the container's mount namespace, and you cannot change the root of a mount namespace or an fs root to a symlink).\n\nFor attacks 1 and 3a, only permit users to run trusted images.\n\nFor attack 3b, there is no practical workaround other than never using `runc exec` because any binary you try to execute with `runc exec` could end up being a malicious binary target.\n\n### See Also\n* https://www.cve.org/CVERecord?id=CVE-2024-21626\n* https://github.com/opencontainers/runc/releases/tag/v1.1.12\n* The runc 1.1.12 merge commit https://github.com/opencontainers/runc/commit/a9833ff391a71b30069a6c3f816db113379a4346, which contains the following security patches:\n * https://github.com/opencontainers/runc/commit/506552a88bd3455e80a9b3829568e94ec0160309\n * https://github.com/opencontainers/runc/commit/0994249a5ec4e363bfcf9af58a87a722e9a3a31b\n * https://github.com/opencontainers/runc/commit/fbe3eed1e568a376f371d2ced1b4ac16b7d7adde\n * https://github.com/opencontainers/runc/commit/284ba3057e428f8d6c7afcc3b0ac752e525957df\n * https://github.com/opencontainers/runc/commit/b6633f48a8c970433737b9be5bfe4f25d58a5aa7\n * https://github.com/opencontainers/runc/commit/683ad2ff3b01fb142ece7a8b3829de17150cf688\n * https://github.com/opencontainers/runc/commit/e9665f4d606b64bf9c4652ab2510da368bfbd951\n\n### Credits\n\nThanks to Rory McNamara from Snyk for discovering and disclosing the original vulnerability (attack 1) to Docker, @lifubang from acmcoder for discovering how to adapt the attack to overwrite host binaries (attack 3a), and Aleksa Sarai from SUSE for discovering how to adapt the attacks to work as container breakouts using `runc exec` (attacks 2 and 3b).", "references": [ { "reference_url": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-19T04:01:01Z/" } ], "url": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21626.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21626.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21626", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03456", "scoring_system": "epss", "scoring_elements": "0.87558", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.03456", "scoring_system": "epss", "scoring_elements": "0.87551", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.03873", "scoring_system": "epss", "scoring_elements": "0.88248", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.05303", "scoring_system": "epss", "scoring_elements": "0.90042", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.05303", "scoring_system": "epss", "scoring_elements": "0.90041", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.05634", "scoring_system": "epss", "scoring_elements": "0.90346", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.06756", "scoring_system": "epss", "scoring_elements": "0.91295", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.06756", "scoring_system": "epss", "scoring_elements": "0.91292", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.06756", "scoring_system": "epss", "scoring_elements": "0.91285", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.06756", "scoring_system": "epss", "scoring_elements": "0.91279", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.06756", "scoring_system": "epss", "scoring_elements": "0.91266", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.07448", "scoring_system": "epss", "scoring_elements": "0.91734", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.07448", "scoring_system": "epss", "scoring_elements": "0.91729", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21626" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21626", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21626" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/opencontainers/runc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc" }, { "reference_url": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-19T04:01:01Z/" } ], "url": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf" }, { "reference_url": "https://github.com/opencontainers/runc/releases/tag/v1.1.12", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-19T04:01:01Z/" } ], "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.12" }, { "reference_url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-19T04:01:01Z/" } ], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-19T04:01:01Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21626", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21626" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/01/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-19T04:01:01Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/01/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/02/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-19T04:01:01Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/02/3" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062532", "reference_id": "1062532", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062532" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258725", "reference_id": "2258725", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258725" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/", "reference_id": "2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-19T04:01:01Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/" }, { "reference_url": "https://security.gentoo.org/glsa/202408-25", "reference_id": "GLSA-202408-25", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202408-25" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0645", "reference_id": "RHSA-2024:0645", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0645" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0662", "reference_id": "RHSA-2024:0662", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0662" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0666", "reference_id": "RHSA-2024:0666", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0666" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0670", "reference_id": "RHSA-2024:0670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0684", "reference_id": "RHSA-2024:0684", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0684" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0717", "reference_id": "RHSA-2024:0717", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0717" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0748", "reference_id": "RHSA-2024:0748", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0748" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0752", "reference_id": "RHSA-2024:0752", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0752" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0755", "reference_id": "RHSA-2024:0755", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0755" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0756", "reference_id": "RHSA-2024:0756", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0756" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0757", "reference_id": "RHSA-2024:0757", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0757" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0758", "reference_id": "RHSA-2024:0758", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0758" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0759", "reference_id": "RHSA-2024:0759", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0759" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0760", "reference_id": "RHSA-2024:0760", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0760" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0764", "reference_id": "RHSA-2024:0764", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0764" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10149", "reference_id": "RHSA-2024:10149", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10149" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10520", "reference_id": "RHSA-2024:10520", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10520" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10525", "reference_id": "RHSA-2024:10525", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10525" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10841", "reference_id": "RHSA-2024:10841", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10841" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:1270", "reference_id": "RHSA-2024:1270", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:1270" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4597", "reference_id": "RHSA-2024:4597", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4597" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0115", "reference_id": "RHSA-2025:0115", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0115" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:0650", "reference_id": "RHSA-2025:0650", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:0650" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1711", "reference_id": "RHSA-2025:1711", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1711" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/", "reference_id": "SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-19T04:01:01Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/" }, { "reference_url": "https://usn.ubuntu.com/6619-1/", "reference_id": "USN-6619-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6619-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994646?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" }, { "vulnerability": "VCID-x2zb-mehm-ebge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u5" } ], "aliases": [ "CVE-2024-21626", "GHSA-xr7r-f8xq-vfvv" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tsgr-5mwt-jkeh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30928?format=api", "vulnerability_id": "VCID-v2ys-xbn5-guh4", "summary": "rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc\n### Impact\nIt was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:\n1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)\n2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare)\n\nA container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host .\nOther users's cgroup hierarchies are not affected.\n\n### Patches\nv1.1.5 (planned)\n\n### Workarounds\n- Condition 1: Unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts.\n- Condition 2 (very rare): add `/sys/fs/cgroup` to `maskedPaths`", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25809.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25809.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25809", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10138", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10045", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10115", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10136", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10176", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10103", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10001", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10077", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.11946", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.1195", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12039", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12063", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12007", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25809" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25809", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25809" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/opencontainers/runc", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc" }, { "reference_url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T16:02:19Z/" } ], "url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17" }, { "reference_url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T16:02:19Z/" } ], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25809", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25809" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182884", "reference_id": "2182884", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182884" }, { "reference_url": "https://security.gentoo.org/glsa/202408-25", "reference_id": "GLSA-202408-25", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202408-25" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1326", "reference_id": "RHSA-2023:1326", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1326" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6380", "reference_id": "RHSA-2023:6380", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6380" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6938", "reference_id": "RHSA-2023:6938", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6938" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6939", "reference_id": "RHSA-2023:6939", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6939" }, { "reference_url": "https://usn.ubuntu.com/6088-1/", "reference_id": "USN-6088-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-1/" }, { "reference_url": "https://usn.ubuntu.com/6088-2/", "reference_id": "USN-6088-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994646?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" }, { "vulnerability": "VCID-x2zb-mehm-ebge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u5" } ], "aliases": [ "CVE-2023-25809", "GHSA-m8cg-xc2p-r3fc" ], "risk_score": 2.9, "exploitability": "0.5", "weighted_severity": "5.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v2ys-xbn5-guh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39633?format=api", "vulnerability_id": "VCID-zex4-9xyf-6yf1", "summary": "Multiple vulnerabilities have been discovered in runC, the worst of\n which may lead to privilege escalation.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00073.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00073.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00009.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00009.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00010.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00010.html" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2019:3940", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://access.redhat.com/errata/RHSA-2019:3940" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2019:4074", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://access.redhat.com/errata/RHSA-2019:4074" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2019:4269", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://access.redhat.com/errata/RHSA-2019:4269" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16884.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16884.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16884", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0032", "scoring_system": "epss", "scoring_elements": "0.5506", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0032", "scoring_system": "epss", "scoring_elements": "0.55041", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56308", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56364", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56359", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57369", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57348", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57374", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00348", "scoring_system": "epss", "scoring_elements": "0.57389", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00485", "scoring_system": "epss", "scoring_elements": "0.65333", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00485", "scoring_system": "epss", "scoring_elements": "0.65258", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00485", "scoring_system": "epss", "scoring_elements": "0.65308", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16884" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/crosbymichael/runc/commit/78dce1cf1ec36bbe7fe6767bdb81f7cbf6d34d70", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/crosbymichael/runc/commit/78dce1cf1ec36bbe7fe6767bdb81f7cbf6d34d70" }, { "reference_url": "https://github.com/opencontainers/runc", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc" }, { "reference_url": "https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4" }, { "reference_url": "https://github.com/opencontainers/runc/issues/2128", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/issues/2128" }, { "reference_url": "https://github.com/opencontainers/runc/pull/2129", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/pull/2129" }, { "reference_url": "https://github.com/opencontainers/runc/pull/2130", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/pull/2130" }, { "reference_url": "https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00016.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00016.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62OQ2P7K5YDZ5BRCH2Q6DHUJIHQD3QCD/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62OQ2P7K5YDZ5BRCH2Q6DHUJIHQD3QCD/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGK6IV5JGVDXHOXEKJOJWKOVNZLT6MYR/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGK6IV5JGVDXHOXEKJOJWKOVNZLT6MYR/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPK4JWP32BUIVDJ3YODZSOEVEW6BHQCF/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPK4JWP32BUIVDJ3YODZSOEVEW6BHQCF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62OQ2P7K5YDZ5BRCH2Q6DHUJIHQD3QCD", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62OQ2P7K5YDZ5BRCH2Q6DHUJIHQD3QCD" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGK6IV5JGVDXHOXEKJOJWKOVNZLT6MYR", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGK6IV5JGVDXHOXEKJOJWKOVNZLT6MYR" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPK4JWP32BUIVDJ3YODZSOEVEW6BHQCF", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPK4JWP32BUIVDJ3YODZSOEVEW6BHQCF" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16884", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:N/C:N/I:P/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16884" }, { "reference_url": "https://pkg.go.dev/vuln/GO-2021-0085", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pkg.go.dev/vuln/GO-2021-0085" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20220221-0004", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20220221-0004" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20220221-0004/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20220221-0004/" }, { "reference_url": "https://usn.ubuntu.com/4297-1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://usn.ubuntu.com/4297-1" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1757214", "reference_id": "1757214", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1757214" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942026", "reference_id": "942026", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942026" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942027", "reference_id": "942027", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942027" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:docker:docker:*:*:*:*:community:*:*:*", "reference_id": "cpe:2.3:a:docker:docker:*:*:*:*:community:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:docker:docker:*:*:*:*:community:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "reference_id": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*" }, { "reference_url": "https://security.gentoo.org/glsa/202003-21", "reference_id": "GLSA-202003-21", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202003-21" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2020:1234", "reference_id": "RHSA-2020:1234", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2020:1234" }, { "reference_url": "https://usn.ubuntu.com/4297-1/", "reference_id": "USN-4297-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4297-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-4867-1/", "reference_id": "USN-USN-4867-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-4867-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1052235?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3m4n-58pj-mkeb" }, { "vulnerability": "VCID-3yvf-q4uj-dbdh" }, { "vulnerability": "VCID-jc1e-8tt4-xqdn" }, { "vulnerability": "VCID-seds-dzew-jyfs" }, { "vulnerability": "VCID-tsgr-5mwt-jkeh" }, { "vulnerability": "VCID-v2ys-xbn5-guh4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5" } ], "aliases": [ "CVE-2019-16884", "GHSA-fgv8-vj5c-2ppq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zex4-9xyf-6yf1" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/10297?format=api", "vulnerability_id": "VCID-7juj-78y7-g7b6", "summary": "Containment Errors (Container Errors)\nrunc allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to `/proc/self/exe`.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html" }, { "reference_url": "http://packetstormsecurity.com/files/163339/Docker-Container-Escape.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://packetstormsecurity.com/files/163339/Docker-Container-Escape.html" }, { "reference_url": "http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5736.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5736.json" }, { "reference_url": "https://access.redhat.com/security/cve/cve-2019-5736", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/security/cve/cve-2019-5736" }, { "reference_url": "https://access.redhat.com/security/vulnerabilities/runcescape", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/security/vulnerabilities/runcescape" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5736", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.55296", "scoring_system": "epss", "scoring_elements": "0.98055", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.55296", "scoring_system": "epss", "scoring_elements": "0.98049", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.55296", "scoring_system": "epss", "scoring_elements": "0.98076", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.55296", "scoring_system": "epss", "scoring_elements": "0.98057", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.59178", "scoring_system": "epss", "scoring_elements": "0.98243", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.59178", "scoring_system": "epss", "scoring_elements": "0.98226", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.59178", "scoring_system": "epss", "scoring_elements": "0.98231", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.59178", "scoring_system": "epss", "scoring_elements": "0.98234", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.59178", "scoring_system": "epss", "scoring_elements": "0.98239", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.59178", "scoring_system": "epss", "scoring_elements": "0.98241", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5736" }, { "reference_url": "https://aws.amazon.com/security/security-bulletins/AWS-2019-002/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://aws.amazon.com/security/security-bulletins/AWS-2019-002/" }, { "reference_url": "https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/" }, { "reference_url": "https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/" }, { "reference_url": "https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html" }, { "reference_url": "https://brauner.github.io/2019/02/12/privileged-containers.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://brauner.github.io/2019/02/12/privileged-containers.html" }, { "reference_url": "https://bugzilla.suse.com/show_bug.cgi?id=1121967", "reference_id": "", "reference_type": "", "scores": [], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1121967" }, { "reference_url": "https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/docker/docker-ce/releases/tag/v18.09.2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/docker/docker-ce/releases/tag/v18.09.2" }, { "reference_url": "https://github.com/Frichetten/CVE-2019-5736-PoC", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/Frichetten/CVE-2019-5736-PoC" }, { "reference_url": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b" }, { "reference_url": "https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d" }, { "reference_url": "https://github.com/q3k/cve-2019-5736-poc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/q3k/cve-2019-5736-poc" }, { "reference_url": "https://github.com/rancher/runc-cve", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rancher/runc-cve" }, { "reference_url": "https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/" }, { "reference_url": "https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20190307-0008/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20190307-0008/" }, { "reference_url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944", "reference_id": "", "reference_type": "", "scores": [], "url": "https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944" }, { "reference_url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03913en_us", "reference_id": "", "reference_type": "", "scores": [], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03913en_us" }, { "reference_url": "https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003", "reference_id": "", "reference_type": "", "scores": [], "url": "https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003" }, { "reference_url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc", "reference_id": "", "reference_type": "", "scores": [], "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc" }, { "reference_url": "https://www.exploit-db.com/exploits/46359/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.exploit-db.com/exploits/46359/" }, { "reference_url": "https://www.exploit-db.com/exploits/46369/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.exploit-db.com/exploits/46369/" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2019/02/11/2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2019/02/11/2" }, { "reference_url": "https://www.synology.com/security/advisory/Synology_SA_19_06", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.synology.com/security/advisory/Synology_SA_19_06" }, { "reference_url": "https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2019/03/23/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2019/03/23/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2019/06/28/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2019/06/28/2" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2019/07/06/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2019/07/06/3" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2019/07/06/4", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2019/07/06/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2019/10/24/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2019/10/24/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2019/10/29/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2019/10/29/3" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/01/31/6", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/01/31/6" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/01/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/02/01/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/02/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2024/02/02/3" }, { "reference_url": "http://www.securityfocus.com/bid/106976", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/106976" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1664908", "reference_id": "1664908", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1664908" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922050", "reference_id": "922050", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922050" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922169", "reference_id": "922169", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922169" }, { "reference_url": "https://security.archlinux.org/ASA-201902-20", "reference_id": "ASA-201902-20", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-201902-20" }, { "reference_url": "https://security.archlinux.org/ASA-201902-6", "reference_id": "ASA-201902-6", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-201902-6" }, { "reference_url": "https://security.archlinux.org/AVG-878", "reference_id": "AVG-878", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-878" }, { "reference_url": "https://security.archlinux.org/AVG-880", "reference_id": "AVG-880", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-880" }, { "reference_url": "https://security.archlinux.org/AVG-892", "reference_id": "AVG-892", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-892" }, { "reference_url": "https://security.archlinux.org/AVG-893", "reference_id": "AVG-893", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-893" }, { "reference_url": "https://security.archlinux.org/AVG-895", "reference_id": "AVG-895", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-895" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:d2iq:kubernetes_engine:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:d2iq:kubernetes_engine:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:d2iq:kubernetes_engine:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:google:kubernetes_engine:-:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:google:kubernetes_engine:-:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:google:kubernetes_engine:-:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:hp:onesphere:-:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:hp:onesphere:-:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:hp:onesphere:-:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxcontainers:lxc:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxcontainers:lxc:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxcontainers:lxc:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microfocus:service_management_automation:2018.02:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:microfocus:service_management_automation:2018.02:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microfocus:service_management_automation:2018.02:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microfocus:service_management_automation:2018.05:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:microfocus:service_management_automation:2018.05:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microfocus:service_management_automation:2018.05:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microfocus:service_management_automation:2018.08:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:microfocus:service_management_automation:2018.08:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microfocus:service_management_automation:2018.08:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microfocus:service_management_automation:2018.11:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:microfocus:service_management_automation:2018.11:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microfocus:service_management_automation:2018.11:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:container_development_kit:3.7:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:container_development_kit:3.7:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:container_development_kit:3.7:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift:3.4:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:openshift:3.4:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift:3.4:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift:3.5:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:openshift:3.5:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift:3.5:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift:3.6:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:openshift:3.6:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift:3.6:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift:3.7:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:redhat:openshift:3.7:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift:3.7:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "reference_id": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "reference_id": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:d2iq:dc\\/os:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:d2iq:dc\\/os:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:d2iq:dc\\/os:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*" }, { "reference_url": "https://github.com/feexd/pocs/tree/a5aac58e0935a505c034b5f9e6cf35c1fc67471d/CVE-2019-5736", "reference_id": "CVE-2019-5736", "reference_type": "exploit", "scores": [], "url": "https://github.com/feexd/pocs/tree/a5aac58e0935a505c034b5f9e6cf35c1fc67471d/CVE-2019-5736" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/46359.md", "reference_id": "CVE-2019-5736", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/46359.md" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/46369.md", "reference_id": "CVE-2019-5736", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/46369.md" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5736", "reference_id": "CVE-2019-5736", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:M/Au:N/C:C/I:C/A:C" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5736" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2019/02/13/3", "reference_id": "CVE-2019-5736", "reference_type": "exploit", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2019/02/13/3" }, { "reference_url": "https://security.gentoo.org/glsa/202003-21", "reference_id": "GLSA-202003-21", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202003-21" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2019:0303", "reference_id": "RHSA-2019:0303", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2019:0303" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2019:0304", "reference_id": "RHSA-2019:0304", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2019:0304" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2019:0401", "reference_id": "RHSA-2019:0401", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2019:0401" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2019:0408", "reference_id": "RHSA-2019:0408", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2019:0408" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2019:0975", "reference_id": "RHSA-2019:0975", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2019:0975" }, { "reference_url": "https://usn.ubuntu.com/4048-1/", "reference_id": "USN-4048-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4048-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1052233?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc6%2Bdfsg1-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3m4n-58pj-mkeb" }, { "vulnerability": "VCID-3yvf-q4uj-dbdh" }, { "vulnerability": "VCID-997v-f2ds-e3e4" }, { "vulnerability": "VCID-9mdg-3961-cybf" }, { "vulnerability": "VCID-jc1e-8tt4-xqdn" }, { "vulnerability": "VCID-seds-dzew-jyfs" }, { "vulnerability": "VCID-tsgr-5mwt-jkeh" }, { "vulnerability": "VCID-v2ys-xbn5-guh4" }, { "vulnerability": "VCID-zex4-9xyf-6yf1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc6%252Bdfsg1-2" } ], "aliases": [ "CVE-2019-5736" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "8.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7juj-78y7-g7b6" } ], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc6%252Bdfsg1-2" }