CVE-2019-18837Link Following in Project Crun

CWE-59Link Following4 documents4 sources
Severity
8.6HIGHNVD
EPSS
0.6%
top 31.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Crun Project CrunCrunFedoraproject Fedora
Timeline
PublishedNov 13
Latest updateMay 24

Description

An issue was discovered in crun before 0.10.5. With a crafted image, it doesn't correctly check whether a target is a symlink, resulting in access to files outside of the container. This occurs in libcrun/linux.c and libcrun/chroot_realpath.c.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages2 packages

NVDcrun_project/crun< 0.10.5
CVEListV5crun/crunbefore 0.10.5

Also affects: Fedora 30, 31

🔴Vulnerability Details

2
GHSA
GHSA-992m-xc3g-r7rj: An issue was discovered in crun before 02022-05-24
CVEList
CVE-2019-18837: An issue was discovered in crun before 02019-11-13

📋Vendor Advisories

1
Debian
CVE-2019-18837: crun - An issue was discovered in crun before 0.10.5. With a crafted image, it doesn't ...2019
CVE-2019-18837 — Link Following in Crun Project Crun | cvebase