
We found results for “”
CVE-2023-25809
Good to know:

Date: March 29, 2023
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes "/sys/fs/cgroup" writable in following conditons: 1. when runc is executed inside the user namespace, and the "config.json" does not specify the cgroup namespace to be unshared (e.g.., "(docker|podman|nerdctl) run --cgroupns=host", with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and "/sys" is mounted with "rbind, ro" (e.g., "runc spec --rootless"; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy "/sys/fs/cgroup/user.slice/..." on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace ("(docker|podman|nerdctl) run --cgroupns=private)". This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add "/sys/fs/cgroup" to "maskedPaths".
Language: Go
Severity Score
Related Resources (7)
Severity Score
Weakness Type (CWE)
Improper Preservation of Permissions
CWE-281Top Fix

CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | LOCAL |
Attack Complexity (AC): | HIGH |
Privileges Required (PR): | HIGH |
User Interaction (UI): | NONE |
Scope (S): | CHANGED |
Confidentiality (C): | LOW |
Integrity (I): | LOW |
Availability (A): | LOW |