VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-78xd-zy32-aaas

Essentials
Severities (100)
References (17)
Severity details (14)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-78xd-zy32-aaas
Aliases	CVE-2023-25809 GHSA-m8cg-xc2p-r3fc
Summary	runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker\|podman\|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker\|podman\|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.
Status	Published
Exploitability	0.5
Weighted Severity	5.7
Risk	2.9
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-281	Improper Preservation of Permissions
CWE-276	Incorrect Default Permissions

System	Score	Found at
cvssv3	6.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25809.json
epss	0.00026	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00028	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00028	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00029	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.0003	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00031	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00044	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
epss	0.00076	https://api.first.org/data/v1/epss?cve=CVE-2023-25809
cvssv3.1	2.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	3.6	https://github.com/opencontainers/runc
generic_textual	LOW	https://github.com/opencontainers/runc
cvssv3.1	2.5	https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17
cvssv3.1	5	https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17
generic_textual	LOW	https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17
ssvc	Track	https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17
cvssv3.1	2.5	https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
cvssv3.1	5	https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
generic_textual	LOW	https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
ssvc	Track	https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
cvssv3	6.3	https://nvd.nist.gov/vuln/detail/CVE-2023-25809
cvssv3.1	6.3	https://nvd.nist.gov/vuln/detail/CVE-2023-25809

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25809.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-25809
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25809
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/opencontainers/runc
		https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17
		https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
2182884		https://bugzilla.redhat.com/show_bug.cgi?id=2182884
cpe:2.3:a:linuxfoundation:runc::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:runc::::::::
CVE-2023-25809		https://nvd.nist.gov/vuln/detail/CVE-2023-25809
GLSA-202408-25		https://security.gentoo.org/glsa/202408-25
RHSA-2023:1326		https://access.redhat.com/errata/RHSA-2023:1326
RHSA-2023:6380		https://access.redhat.com/errata/RHSA-2023:6380
RHSA-2023:6938		https://access.redhat.com/errata/RHSA-2023:6938
RHSA-2023:6939		https://access.redhat.com/errata/RHSA-2023:6939
USN-6088-1		https://usn.ubuntu.com/6088-1/
USN-6088-2		https://usn.ubuntu.com/6088-2/

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25809.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Found at https://github.com/opencontainers/runc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L Found at https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T16:02:19Z/ Found at https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L Found at https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T16:02:19Z/ Found at https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-25809

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-25809

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.05575
EPSS Score	0.00026
Published At	April 15, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.