CVE-2019-5736: runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host…

high8.6CVSS 3.1

AVLACLPRNUIRSCCHIHAH

EXPLOIT

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Affected

58 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	mesos	>= 1.4.0 < 1.4.3	1.4.3
apache	mesos	>= 1.5.0 < 1.5.3	1.5.3
apache	mesos	>= 1.6.0 < 1.6.2	1.6.2
apache	mesos	>= 1.7.0 < 1.7.2	1.7.2
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
d2iq	dc_os	< 1.10.10	1.10.10
d2iq	dc_os	>= 1.10.11 < 1.11.9	1.11.9
d2iq	dc_os	>= 1.11.10 < 1.12.1	1.12.1
d2iq	kubernetes_engine	< 2.2.0-1.13.3	2.2.0-1.13.3
debian	docker.io	—	—
debian	firejail	< firejail 0.9.58.2-2 (bookworm)	firejail 0.9.58.2-2 (bookworm)
debian	lxc	< lxc 1:3.1.0+really3.0.3-4 (bookworm)	lxc 1:3.1.0+really3.0.3-4 (bookworm)
debian	runc	< lxc 1:3.1.0+really3.0.3-4 (bookworm)	lxc 1:3.1.0+really3.0.3-4 (bookworm)
docker	docker	< 18.09.2	18.09.2
docker	docker	—	—
docker	docker	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
firejail_project	firejail	< 0.9.60	0.9.60
firejail_project	firejail	>= 0 < 0.9.58.2-2	0.9.58.2-2
firejail_project	firejail	>= 0 < 0.9.58.2-2	0.9.58.2-2
firejail_project	firejail	>= 0 < 0.9.58.2-2	0.9.58.2-2

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

osv8.6HIGH

vulncheck8.6HIGH