CVE-2024-45310

CWE-61 CWE-363 CWE-22 — Path Traversal9 documents7 sources

Severity

3.6LOW

EPSS

0.1%

top 65.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opencontainers Runc Github.com Opencontainers/runc Linuxfoundation Runc

Timeline

PublishedSep 3

Latest updateSep 10

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of cus…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5opencontainers/runc< 1.1.14+1

▶Gogithub.com/opencontainers/runc1.2.0-rc.1 — 1.2.0-rc.3+1

▶NVDlinuxfoundation/runc< 1.1.14+1

▶Debianrunc< 1.1.15+ds1-1+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Can be confused to create empty files/directories on the host in github.com/opencontainers/runc↗2024-09-06

▶

OSV

CVE-2024-45310: runc is a CLI tool for spawning and running containers according to the OCI specification↗2024-09-03

▶

OSV

runc can be confused to create empty files/directories on the host↗2024-09-03

▶

GHSA

runc can be confused to create empty files/directories on the host↗2024-09-03

▶

CVEList

runc can be confused to create empty files/directories on the host↗2024-09-03

▶

📋Vendor Advisories

Microsoft

runc can be confused to create empty files/directories on the host↗2024-09-10

▶

Red Hat

runc: runc can be tricked into creating empty files/directories on host↗2024-09-03

▶

Debian

CVE-2024-45310: runc - runc is a CLI tool for spawning and running containers according to the OCI spec...↗2024

▶