CVE-2019-19921: Use of Incorrectly-Resolved Name or Reference
(updated )
runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)
References
- lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
- access.redhat.com/errata/RHSA-2020:0688
- access.redhat.com/errata/RHSA-2020:0695
- github.com/advisories/GHSA-fh74-hm69-rqjw
- github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
- github.com/opencontainers/runc/issues/2197
- github.com/opencontainers/runc/pull/2190
- github.com/opencontainers/runc/pull/2207
- github.com/opencontainers/runc/releases
- github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
- nvd.nist.gov/vuln/detail/CVE-2019-19921
- pkg.go.dev/vuln/GO-2021-0087
- security-tracker.debian.org/tracker/CVE-2019-19921
- security.gentoo.org/glsa/202003-21
- usn.ubuntu.com/4297-1/
Detect and mitigate CVE-2019-19921 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →