CVE-2019-16884: runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go…

high7.5CVSS 3.1

AVNACLPRNUINSUCNIHAN

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

Affected

33 ranges· showing 25

Vendor	Product	Version range	Fixed in
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	golang-github-opencontainers-selinux	< golang-github-opencontainers-selinux 1.3.0-2 (bookworm)	golang-github-opencontainers-selinux 1.3.0-2 (bookworm)
debian	runc	< golang-github-opencontainers-selinux 1.3.0-2 (bookworm)	golang-github-opencontainers-selinux 1.3.0-2 (bookworm)
docker	docker	<= 19.03.2	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
github.com	opencontainers_runc	>= 0 < 1.0.0-rc8.0.20190930145003-cad42f6e0932	1.0.0-rc8.0.20190930145003-cad42f6e0932
github.com	opencontainers_selinux	>= 0 < 1.3.1-0.20190929122143-5215b1806f52	1.3.1-0.20190929122143-5215b1806f52
linuxfoundation	runc	—	—
linuxfoundation	runc	>= 0 < 1.0.0~rc9+dfsg1-1	1.0.0~rc9+dfsg1-1
linuxfoundation	runc	>= 0 < 1.0.0~rc9+dfsg1-1	1.0.0~rc9+dfsg1-1
linuxfoundation	runc	>= 0 < 1.0.0~rc9+dfsg1-1	1.0.0~rc9+dfsg1-1
linuxfoundation	runc	>= 0 < 1.0.0~rc9+dfsg1-1	1.0.0~rc9+dfsg1-1
linuxfoundation	runc	>= 0 < 1.0.0~rc10-0ubuntu1~18.04.2	1.0.0~rc10-0ubuntu1~18.04.2
linuxfoundation	runc	>= 0 < 1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm2	1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm2
linuxfoundation	runc	0.0.1 – 0.1.1	—
msrc	cbl_mariner_1.0_arm	—	—
msrc	cbl_mariner_1.0_x64	—	—
msrc	cm1_moby-buildx_0.4.1+azure-3_on_cbl_mariner_1.0	—	—
opensuse	leap	—	—
opensuse	leap	—	—
redhat	enterprise_linux	—	—
redhat	enterprise_linux_eus	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

osv7.5HIGH