Vulnerability Details : CVE-2019-19921
runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)
Products affected by CVE-2019-19921
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:1.0.0:rc9:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-19921
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 14 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19921
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST | |
7.0
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.0
|
5.9
|
NIST |
CWE ids for CVE-2019-19921
-
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-19921
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/
[SECURITY] Fedora 36 Update: runc-1.1.6-1.fc36 - package-announce - Fedora Mailing-Lists
-
https://access.redhat.com/errata/RHSA-2020:0688
RHSA-2020:0688 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://usn.ubuntu.com/4297-1/
USN-4297-1: runC vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0695
RHSA-2020:0695 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/202003-21
runC: Multiple vulnerabilities (GLSA 202003-21) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/
[SECURITY] Fedora 37 Update: runc-1.1.6-1.fc37 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/
[SECURITY] Fedora 38 Update: runc-1.1.6-1.fc38 - package-announce - Fedora Mailing-Lists
-
https://github.com/opencontainers/runc/issues/2197
[CVE-2019-19921]: Volume mount race condition with shared mounts · Issue #2197 · opencontainers/runc · GitHubIssue Tracking;Patch;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
[security-announce] openSUSE-SU-2020:0219-1: moderate: Security update fBroken Link;Mailing List;Third Party Advisory
-
https://github.com/opencontainers/runc/pull/2190
Adding Security audit by amye · Pull Request #2190 · opencontainers/runc · GitHubIssue Tracking;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
[SECURITY] [DLA 3369-1] runc security update
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/
[SECURITY] Fedora 37 Update: golang-github-opencontainers-runc-1.1.8-2.fc37 - package-announce - Fedora Mailing-Lists
-
https://github.com/opencontainers/runc/releases
Releases · opencontainers/runc · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/
[SECURITY] Fedora 38 Update: golang-github-opencontainers-runc-1.1.8-2.fc38 - package-announce - Fedora Mailing-Lists
-
https://security-tracker.debian.org/tracker/CVE-2019-19921
CVE-2019-19921Third Party Advisory
Jump to