Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/938522?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/938522?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u4?distro=trixie", "type": "deb", "namespace": "debian", "name": "runc", "version": "1.0.0~rc93+ds1-5+deb11u4", "qualifiers": { "distro": "trixie" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "1.0.3+ds1-1", "latest_non_vulnerable_version": "1.3.5+ds1-1", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37083?format=api", "vulnerability_id": "VCID-3yvf-q4uj-dbdh", "summary": "Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC\n### Impact\n\nIn runc, [netlink](https://www.man7.org/linux/man-pages/man7/netlink.7.html) is used internally as a serialization system for specifying the relevant container configuration to the C portion of our code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration.\n\nThis vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces.\n\nPrior to 9c444070ec7bb83995dbc0185da68284da71c554, in practice it was fairly difficult to specify an arbitrary-length netlink message with most container runtimes. The only user-controlled byte array was the namespace paths attributes which can be specified in runc's `config.json`, but as far as we can tell no container runtime gives raw access to that configuration setting -- and having raw access to that setting **would allow the attacker to disable namespace protections entirely anyway** (setting them to `/proc/1/ns/...` for instance). In addition, each namespace path is limited to 4096 bytes (with only 7 namespaces supported by runc at the moment) meaning that even with custom namespace paths it appears an attacker still cannot shove enough bytes into the netlink bytemsg in order to overflow the uint16 counter.\n\nHowever, out of an abundance of caution (given how old this bug is) we decided to treat it as a potentially exploitable vulnerability with a low severity. After 9c444070ec7bb83995dbc0185da68284da71c554 (which was not present in any release of runc prior to the discovery of this bug), all mount paths are included as a giant netlink message which means that this bug becomes significantly more exploitable in more reasonable threat scenarios.\n\nThe main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure), though as mentioned above it appears this bug was not practically exploitable on any released version of runc to date.\n\n### Patches\nThe patch for this is d72d057ba794164c3cce9451a00b72a78b25e1ae and runc 1.0.3 was released with this bug fixed.\n\n### Workarounds\nTo the extent this is exploitable, disallowing untrusted namespace paths in container configuration should eliminate all practical ways of exploiting this bug. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.\n\n### References\n* commit d72d057ba794 (\"runc init: avoid netlink message length overflows\")\n* https://bugs.chromium.org/p/project-zero/issues/detail?id=2241\n\n### Credits\nThanks to Felix Wilhelm from Google Project Zero for discovering and reporting this vulnerability. In particular, the fact they found this vulnerability so quickly, before we made a 1.1 release of runc (which would've been vulnerable) was quite impressive.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [our repo](https://github.com/opencontainers/runc)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43784.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43784.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.29775", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.29842", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.29958", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30027", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30175", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30078", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30128", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30171", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30168", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30132", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30073", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30255", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30206", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30072", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00115", "scoring_system": "epss", "scoring_elements": "0.30093", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43784" }, { "reference_url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43784", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43784" }, { "reference_url": "https://github.com/opencontainers/runc", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc" }, { "reference_url": "https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554" }, { "reference_url": "https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae" }, { "reference_url": "https://github.com/opencontainers/runc/commit/dde509df4e28cec33b3c99c6cda3d4fd5beafc77", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc/commit/dde509df4e28cec33b3c99c6cda3d4fd5beafc77" }, { "reference_url": "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed" }, { "reference_url": "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:09:32Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43784", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43784" }, { "reference_url": "https://pkg.go.dev/vuln/GO-2022-0274", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pkg.go.dev/vuln/GO-2022-0274" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2029439", "reference_id": "2029439", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2029439" }, { "reference_url": "https://security.archlinux.org/AVG-2599", "reference_id": "AVG-2599", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2599" }, { "reference_url": "https://security.gentoo.org/glsa/202408-25", "reference_id": "GLSA-202408-25", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202408-25" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6380", "reference_id": "RHSA-2023:6380", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6380" }, { "reference_url": "https://usn.ubuntu.com/6088-2/", "reference_id": "USN-6088-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938522?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u4?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938512?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u5?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" }, { "vulnerability": "VCID-x2zb-mehm-ebge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u5%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938521?format=api", "purl": "pkg:deb/debian/runc@1.0.3%2Bds1-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.3%252Bds1-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938510?format=api", "purl": "pkg:deb/debian/runc@1.1.5%2Bds1-1%2Bdeb12u1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" }, { "vulnerability": "VCID-x2zb-mehm-ebge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.1.5%252Bds1-1%252Bdeb12u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938514?format=api", "purl": "pkg:deb/debian/runc@1.1.15%2Bds1-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.1.15%252Bds1-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938513?format=api", "purl": "pkg:deb/debian/runc@1.3.5%2Bds1-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.3.5%252Bds1-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2021-43784", "GHSA-v95c-p5hm-xq8f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3yvf-q4uj-dbdh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30928?format=api", "vulnerability_id": "VCID-v2ys-xbn5-guh4", "summary": "rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc\n### Impact\nIt was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons:\n1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl)\n2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare)\n\nA container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host .\nOther users's cgroup hierarchies are not affected.\n\n### Patches\nv1.1.5 (planned)\n\n### Workarounds\n- Condition 1: Unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts.\n- Condition 2 (very rare): add `/sys/fs/cgroup` to `maskedPaths`", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25809.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25809.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25809", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10136", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10045", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10103", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10001", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10077", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10138", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10176", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10115", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00037", "scoring_system": "epss", "scoring_elements": "0.10769", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.1195", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12063", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.11946", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12007", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12039", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25809" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25809", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25809" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/opencontainers/runc", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/opencontainers/runc" }, { "reference_url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T16:02:19Z/" } ], "url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17" }, { "reference_url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" }, { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T16:02:19Z/" } ], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25809", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25809" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182884", "reference_id": "2182884", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182884" }, { "reference_url": "https://security.gentoo.org/glsa/202408-25", "reference_id": "GLSA-202408-25", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202408-25" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1326", "reference_id": "RHSA-2023:1326", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1326" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6380", "reference_id": "RHSA-2023:6380", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6380" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6938", "reference_id": "RHSA-2023:6938", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6938" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6939", "reference_id": "RHSA-2023:6939", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6939" }, { "reference_url": "https://usn.ubuntu.com/6088-1/", "reference_id": "USN-6088-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-1/" }, { "reference_url": "https://usn.ubuntu.com/6088-2/", "reference_id": "USN-6088-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6088-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/938522?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u4?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938512?format=api", "purl": "pkg:deb/debian/runc@1.0.0~rc93%2Bds1-5%2Bdeb11u5?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" }, { "vulnerability": "VCID-x2zb-mehm-ebge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u5%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938525?format=api", "purl": "pkg:deb/debian/runc@1.1.5%2Bds1-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.1.5%252Bds1-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938510?format=api", "purl": "pkg:deb/debian/runc@1.1.5%2Bds1-1%2Bdeb12u1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" }, { "vulnerability": "VCID-x2zb-mehm-ebge" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.1.5%252Bds1-1%252Bdeb12u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938514?format=api", "purl": "pkg:deb/debian/runc@1.1.15%2Bds1-2?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mt76-ah1b-s3gc" }, { "vulnerability": "VCID-vk37-s4p6-fufm" }, { "vulnerability": "VCID-wxsf-mu1t-aqa4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.1.15%252Bds1-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/938513?format=api", "purl": "pkg:deb/debian/runc@1.3.5%2Bds1-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.3.5%252Bds1-1%3Fdistro=trixie" } ], "aliases": [ "CVE-2023-25809", "GHSA-m8cg-xc2p-r3fc" ], "risk_score": 2.9, "exploitability": "0.5", "weighted_severity": "5.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v2ys-xbn5-guh4" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/runc@1.0.0~rc93%252Bds1-5%252Bdeb11u4%3Fdistro=trixie" }