CVE-2023-27561
CVSS V2 None
CVSS V3 None
Description
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
Overview
- CVE ID
- CVE-2023-27561
- Assigner
- cve@mitre.org
- Vulnerability Status
- Modified
- Published Version
- 2023-03-03T19:15:11
- Last Modified Date
- 2023-04-21T04:15:42
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:* | 1 | OR | 1.1.5 | |
| cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | 1 | OR |
References
| Reference URL | Reference Tags |
|---|---|
| https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9 | Exploit Third Party Advisory |
| https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334 | Issue Tracking Third Party Advisory |
| https://github.com/opencontainers/runc/issues/3751 | Issue Tracking Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html | Mailing List Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/ | |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/ | |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/ |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-27561 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27561 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-04-17 05:55:26 | Added to TrackCVE | |||
| 2023-04-17 05:55:27 | Weakness Enumeration | new | ||
| 2023-04-21 04:01:41 | 2023-04-21T03:15:07 | CVE Modified Date | updated | |
| 2023-04-21 04:01:41 | Analyzed | Modified | Vulnerability Status | updated |
| 2023-04-21 04:01:42 | References | updated | ||
| 2023-04-21 05:01:33 | 2023-04-21T04:15:42 | CVE Modified Date | updated | |
| 2023-04-21 05:01:34 | References | updated |