cbcvebase.
CVE-2023-25809
published 2023-03-29

CVE-2023-25809: runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes…

PriorityP429medium6.3CVSS 3.1
AVLACLPRLUINSCCLILAL
EPSS
0.33%
24.4th percentile
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.

Affected

18 ranges
VendorProductVersion rangeFixed in
debianrunc< runc 1.1.5+ds1-1 (bookworm)runc 1.1.5+ds1-1 (bookworm)
github.comopencontainers_runc>= 0 < 1.1.51.1.5
linuxfoundationrunc< 1.1.51.1.5
linuxfoundationrunc>= 0 < 1.0.0~rc93+ds1-5+deb11u41.0.0~rc93+ds1-5+deb11u4
linuxfoundationrunc>= 0 < 1.1.5+ds1-11.1.5+ds1-1
linuxfoundationrunc>= 0 < 1.1.5+ds1-11.1.5+ds1-1
linuxfoundationrunc>= 0 < 1.1.5+ds1-11.1.5+ds1-1
linuxfoundationrunc>= 0 < 1.1.4-0ubuntu1~18.04.21.1.4-0ubuntu1~18.04.2
linuxfoundationrunc>= 0 < 1.1.4-0ubuntu1~20.04.31.1.4-0ubuntu1~20.04.3
linuxfoundationrunc>= 0 < 1.1.4-0ubuntu1~22.04.31.1.4-0ubuntu1~22.04.3
linuxfoundationrunc>= 0 < 1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm41.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm4
msrccbl2_moby-runc_1.1.5-1_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_moby-runc_1.1.5+azure-1_on_cbl_mariner_1.0
opencontainersrunc< 1.1.51.1.5

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
osv7.0HIGH
vendor_ubuntu7.0HIGH
vendor_msrc6.3MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.