CVE-2019-10144

CWE-250 CWE-269 — Improper Privilege Management7 documents6 sources

Severity

7.7HIGH

EPSS

0.1%

top 69.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat RKT [unknown] RKT

Timeline

PublishedJun 3

Latest updateMay 24

Description

rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are given all capabilities during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:HExploitability: 1.1 | Impact: 6.0

Affected Packages2 packages

▶NVDredhat/rkt1.30.0

▶CVEListV5[unknown]/rkt1.30.0

🔴Vulnerability Details

GHSA

GHSA-53c8-4j57-m6p5: rkt through version 1↗2022-05-24

▶

CVEList

CVE-2019-10144: rkt through version 1↗2019-06-03

▶

OSV

CVE-2019-10144: rkt through version 1↗2019-06-03

▶

🕵️Threat Intelligence

Unit42

Breaking Out of rkt – 3 New Unpatched CVEs↗2019-05-30

▶

💬Community

Bugzilla

CVE-2019-10144 rkt: processes run with `rkt enter` are given all capabilities during stage 2 [fedora-all]↗2019-05-31

▶

Bugzilla

CVE-2019-10144 rkt: processes run with `rkt enter` are given all capabilities during stage 2↗2019-05-20

▶