cbcvebase.
CVE-2023-28642
published 2023-03-29

CVE-2023-28642: runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the…

PriorityP338high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.34%
26.1th percentile
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.

Affected

18 ranges
VendorProductVersion rangeFixed in
debianrunc< runc 1.1.5+ds1-1 (bookworm)runc 1.1.5+ds1-1 (bookworm)
github.comopencontainers_runc>= 0 < 1.1.51.1.5
linuxfoundationrunc< 1.1.51.1.5
linuxfoundationrunc>= 0 < 1.0.0~rc93+ds1-5+deb11u51.0.0~rc93+ds1-5+deb11u5
linuxfoundationrunc>= 0 < 1.1.5+ds1-11.1.5+ds1-1
linuxfoundationrunc>= 0 < 1.1.5+ds1-11.1.5+ds1-1
linuxfoundationrunc>= 0 < 1.1.5+ds1-11.1.5+ds1-1
linuxfoundationrunc>= 0 < 1.1.4-0ubuntu1~18.04.21.1.4-0ubuntu1~18.04.2
linuxfoundationrunc>= 0 < 1.1.4-0ubuntu1~20.04.31.1.4-0ubuntu1~20.04.3
linuxfoundationrunc>= 0 < 1.1.4-0ubuntu1~22.04.31.1.4-0ubuntu1~22.04.3
linuxfoundationrunc>= 0 < 1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm41.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm4
msrccbl2_moby-runc_1.1.5-1_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_moby-runc_1.1.5+azure-1_on_cbl_mariner_1.0
opencontainersrunc< 1.1.51.1.5

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa7.0HIGH
osv7.8HIGH
vendor_msrc7.8HIGH
vendor_ubuntu7.0HIGH
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.