CVE-2019-19921 — HIGH (7.0)

Q: How severe is CVE-2019-19921?

CVE-2019-19921 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-19921?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Runc, Debian Debian Linux, Opensuse Leap, Canonical Ubuntu Linux, Redhat Openshift Container Platform.

Vulnerability Description

runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)

CVSS Score

7.0

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Linuxfoundation	Runc	<= 0.1.1
Debian	Debian Linux	9.0
Opensuse	Leap	15.1
Canonical	Ubuntu Linux	18.04
Redhat	Openshift Container Platform	4.1

Related Weaknesses (CWE)

CWE-706

References

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.htmlBroken LinkMailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2020:0688Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0695Third Party Advisory
https://github.com/opencontainers/runc/issues/2197Issue TrackingPatchThird Party Advisory
https://github.com/opencontainers/runc/pull/2190Issue TrackingThird Party Advisory
https://github.com/opencontainers/runc/releasesThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security-tracker.debian.org/tracker/CVE-2019-19921Third Party Advisory
https://security.gentoo.org/glsa/202003-21Third Party Advisory
https://usn.ubuntu.com/4297-1/Third Party Advisory

FAQ

What is CVE-2019-19921?

CVE-2019-19921 is a vulnerability with a CVSS score of 7.0 (HIGH). runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with...

How severe is CVE-2019-19921?

CVE-2019-19921 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-19921?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Runc, Debian Debian Linux, Opensuse Leap, Canonical Ubuntu Linux, Redhat Openshift Container Platform.