CVE-2019-10147 — Execution with Unnecessary Privileges in Redhat RKT

CWE-250 — Execution with Unnecessary Privileges CWE-862 — Missing Authorization7 documents6 sources

Severity

7.7HIGHNVD

EPSS

0.1%

top 67.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat RKT

Timeline

PublishedJun 3

Latest updateMay 24

Description

rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are not limited by cgroups during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:HExploitability: 1.1 | Impact: 6.0

Affected Packages1 packages

▶NVDredhat/rkt1.30.0

🔴Vulnerability Details

GHSA

GHSA-mr55-c2c7-jch7: rkt through version 1↗2022-05-24

▶

OSV

CVE-2019-10147: rkt through version 1↗2019-06-03

▶

CVEList

CVE-2019-10147: rkt through version 1↗2019-06-03

▶

🕵️Threat Intelligence

Unit42

Breaking Out of rkt – 3 New Unpatched CVEs↗2019-05-30

▶

💬Community

Bugzilla

CVE-2019-10147 rkt: processes run with `rkt enter` are not limited by cgroups during stage 2 [fedora-all]↗2019-05-31

▶

Bugzilla

CVE-2019-10147 rkt: processes run with `rkt enter` are not limited by cgroups during stage 2↗2019-05-28

▶