blob: 1aab94ffaa2a6a7c974d5b8c34fc52cb3d80a65c [file] [log] [blame]
id: GO-2021-0070
modules:
- module: github.com/opencontainers/runc
versions:
- fixed: 0.1.0
vulnerable_at: 0.0.9
packages:
- package: github.com/opencontainers/runc/libcontainer/user
symbols:
- GetExecUser
derived_symbols:
- GetExecUserPath
summary: Privilege escalation in github.com/opencontainers/runc
description: |-
GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will
improperly interpret numeric UIDs as usernames. If the method is used without
verifying that usernames are formatted as expected, it may allow a user to gain
unexpected privileges.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2016-3697
ghsas:
- GHSA-q3j5-32m5-58c2
references:
- fix: https://github.com/opencontainers/runc/pull/708
- fix: https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091
- web: https://github.com/docker/docker/issues/21436
- web: http://rhn.redhat.com/errata/RHSA-2016-1034.html
- web: http://rhn.redhat.com/errata/RHSA-2016-2634.html
- web: https://security.gentoo.org/glsa/201612-28
review_status: REVIEWED