Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:rpm/redhat/container-tools:latest/runc@4:1.1.9-1?arch=el9

Type rpm

Namespace redhat/container-tools:latest

Name runc

Version 4:1.1.9-1

Qualifiers

arch	el9

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url

VCID-41bb-kmck-3kf6

vulnerability_id

VCID-41bb-kmck-3kf6

summary

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43784.json

reference_id

reference_type

scores

value	5.0
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43784.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-43784

reference_id

reference_type

scores

value	0.00115
scoring_system	epss
scoring_elements	0.29731
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-43784

reference_url

https://bugs.chromium.org/p/project-zero/issues/detail?id=2241

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugs.chromium.org/p/project-zero/issues/detail?id=2241

reference_url

https://github.com/opencontainers/runc

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/opencontainers/runc

reference_url

https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554

reference_url

https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae

reference_url

https://github.com/opencontainers/runc/commit/dde509df4e28cec33b3c99c6cda3d4fd5beafc77

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/opencontainers/runc/commit/dde509df4e28cec33b3c99c6cda3d4fd5beafc77

reference_url

https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed

reference_url

https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f

reference_url

https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html

reference_url

https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-43784

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-43784

reference_url

https://pkg.go.dev/vuln/GO-2022-0274

reference_id

reference_type

scores

value	6.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://pkg.go.dev/vuln/GO-2022-0274

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2029439
reference_id	2029439
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2029439

reference_url

https://security.archlinux.org/AVG-2599

reference_id

AVG-2599

reference_type

scores

value	Low
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2599

reference_url	https://security.gentoo.org/glsa/202408-25
reference_id	GLSA-202408-25
reference_type
scores
url	https://security.gentoo.org/glsa/202408-25

reference_url	https://access.redhat.com/errata/RHSA-2023:6380
reference_id	RHSA-2023:6380
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6380

fixed_packages

aliases

CVE-2021-43784, GHSA-v95c-p5hm-xq8f

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-41bb-kmck-3kf6

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/container-tools:latest/runc@4:1.1.9-1%3Farch=el9

Package Instance