Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/461815?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/461815?format=api", "purl": "pkg:apk/alpine/runc@1.0.0_rc95-r0?arch=ppc64le&distroversion=v3.12&reponame=community", "type": "apk", "namespace": "alpine", "name": "runc", "version": "1.0.0_rc95-r0", "qualifiers": { "arch": "ppc64le", "distroversion": "v3.12", "reponame": "community" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47806?format=api", "vulnerability_id": "VCID-9mdg-3961-cybf", "summary": "mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs\n### Summary\n\nrunc 1.0.0-rc94 and earlier are vulnerable to a symlink exchange attack whereby\nan attacker can request a seemingly-innocuous container configuration that\nactually results in the host filesystem being bind-mounted into the container\n(allowing for a container escape). CVE-2021-30465 has been assigned for this\nissue.\n\nAn attacker must have the ability to start containers using some kind of custom\nvolume configuration, and while recommended container hardening mechanisms such\nas LSMs (AppArmor/SELinux) and user namespaces will restrict the amount of\ndamage an attacker could do, they do not block this attack outright. We have a\nreproducer using Kubernetes (and the below description mentions\nKubernetes-specific paths), but this is not a Kubernetes-specific issue.\n\nThe now-released [runc v1.0.0-rc95][release] contains a fix for this issue, we\nrecommend users update as soon as possible.\n\n[release]: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95\n\n### Details\n\nIn circumstances where a container is being started, and runc is mounting\ninside a volume shared with another container (which is conducting a\nsymlink-exchange attack), runc can be tricked into mounting outside of the\ncontainer rootfs by swapping the target of a mount with a symlink due to a\ntime-of-check-to-time-of-use (TOCTTOU) flaw. This is fairly similar in style to\nprevious TOCTTOU attacks (and is a problem we are working on solving with\nlibpathrs).\n\nHowever, this alone is not useful because this happens inside a mount namespace\nwith `MS_SLAVE` propagation applied to `/` (meaning that the mount doesn't\nappear on the host -- it's only a \"host-side mount\" inside the container's\nnamespace). To exploit this, you must have additional mount entries in the\nconfiguration that use some subpath of the mounted-over host path as a source\nfor a subsequent mount.\n\nHowever, it turns out with some container orchestrators (such as Kubernetes --\nthough it is very likely that other downstream users of runc could have similar\nbehaviour be accessible to untrusted users), the existence of additional volume\nmanagement infrastructure allows this attack to be applied to gain access to\nthe host filesystem without requiring the attacker to have completely arbitrary\ncontrol over container configuration.\n\nIn the case of Kubernetes, this is exploitable by creating a symlink in a\nvolume to the top-level (well-known) directory where volumes are sourced from\n(for instance,\n`/var/lib/kubelet/pods/$MY_POD_UID/volumes/kubernetes.io~empty-dir`), and then\nusing that symlink as the target of a mount. The source of the mount is an\nattacker controlled directory, and thus the source directory from which\nsubsequent mounts will occur is an attacker-controlled directory. Thus the\nattacker can first place a symlink to `/` in their malicious source directory\nwith the name of a volume, and a subsequent mount in the container will\nbind-mount `/` into the container.\n\nApplying this attack requires the attacker to start containers with a slightly\npeculiar volume configuration (though not explicitly malicious-looking such as\nbind-mounting `/` into the container explicitly), and be able to run malicious\ncode in a container that shares volumes with said volume configuration. It\nhelps the attacker if the host paths used for volume management are well known,\nthough this is not a hard requirement.\n\n### Patches\nThis has been patched in runc 1.0.0-rc95, and users should upgrade as soon as\npossible. The patch itself can be found [here](https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f).\n\n### Workarounds\n\nThere are no known workarounds for this issue.\n\nHowever, users who enforce running containers with more confined security\nprofiles (such as reduced capabilities, not running code as root in the\ncontainer, user namespaces, AppArmor/SELinux, and seccomp) will restrict what\nan attacker can do in the case of a container breakout -- we recommend users\nmake use of strict security profiles if possible (most notably user namespaces\n-- which can massively restrict the impact a container breakout can have on the\nhost system).\n\n### References\n* [commit](https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f)\n* [seclists public disclosure](https://www.openwall.com/lists/oss-security/2021/05/19/2)\n\n### Credit\n\nThanks to Etienne Champetier for discovering and disclosing this vulnerability,\nto Noah Meyerhans for writing the first draft of this patch, and to Samuel Karp\nfor testing it.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [our issue tracker](https://github.com/opencontainers/runc/issues).\n* Email us at <security@opencontainers.org>.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30465.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30465.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30465", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01473", "scoring_system": "epss", "scoring_elements": "0.8089", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01473", "scoring_system": "epss", "scoring_elements": "0.80913", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01473", "scoring_system": "epss", "scoring_elements": "0.80881", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.02175", "scoring_system": "epss", "scoring_elements": "0.84354", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.02175", "scoring_system": "epss", "scoring_elements": "0.84383", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.02175", "scoring_system": "epss", "scoring_elements": "0.84357", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.02175", "scoring_system": "epss", "scoring_elements": "0.84353", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.8492", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.84879", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.84902", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.84909", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.84927", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.02358", "scoring_system": "epss", "scoring_elements": "0.84926", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30465" }, { "reference_url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1185405", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1185405" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30465", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30465" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f" }, { "reference_url": "https://github.com/opencontainers/runc/releases", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/releases" }, { "reference_url": "https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HOARVIT47RULTTFWAU7XBG4WY6TDDHV", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HOARVIT47RULTTFWAU7XBG4WY6TDDHV" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30465", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30465" }, { "reference_url": "https://security.gentoo.org/glsa/202107-26", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202107-26" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20210708-0003", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20210708-0003" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/05/19/2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2021/05/19/2" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954736", "reference_id": "1954736", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954736" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988768", "reference_id": "988768", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988768" }, { "reference_url": "https://security.archlinux.org/ASA-202105-17", "reference_id": "ASA-202105-17", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202105-17" }, { "reference_url": "https://security.archlinux.org/AVG-1972", "reference_id": "AVG-1972", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1972" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:1562", "reference_id": "RHSA-2021:1562", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:1562" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:1566", "reference_id": "RHSA-2021:1566", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:1566" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2057", "reference_id": "RHSA-2021:2057", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2057" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2144", "reference_id": "RHSA-2021:2144", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2144" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2145", "reference_id": "RHSA-2021:2145", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2145" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2150", "reference_id": "RHSA-2021:2150", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2150" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2291", "reference_id": "RHSA-2021:2291", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2291" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2292", "reference_id": "RHSA-2021:2292", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2292" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2370", "reference_id": "RHSA-2021:2370", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2370" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2371", "reference_id": "RHSA-2021:2371", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2371" }, { "reference_url": "https://usn.ubuntu.com/4960-1/", "reference_id": "USN-4960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4960-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-4867-1/", "reference_id": "USN-USN-4867-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-4867-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/461815?format=api", "purl": "pkg:apk/alpine/runc@1.0.0_rc95-r0?arch=ppc64le&distroversion=v3.12&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/runc@1.0.0_rc95-r0%3Farch=ppc64le&distroversion=v3.12&reponame=community" } ], "aliases": [ "CVE-2021-30465", "GHSA-c3xm-pvg7-gh7r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9mdg-3961-cybf" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/runc@1.0.0_rc95-r0%3Farch=ppc64le&distroversion=v3.12&reponame=community" }