blob: 756094407a8d4176b85a5cb2c25214db79fa7949 [file] [log] [blame]
id: GO-2021-0087
modules:
- module: github.com/opencontainers/runc
versions:
- fixed: 1.0.0-rc9.0.20200122160610-2fc03cc11c77
vulnerable_at: 1.0.0-rc9.0.20191217094952-7496a9682535
packages:
- package: github.com/opencontainers/runc/libcontainer
symbols:
- mountToRootfs
skip_fix: 'TODO: Revisit this reason. (Fix causes multiple errors (dependent fields/methods undefined)'
summary: Race condition in github.com/opencontainers/runc
description: |-
A race while mounting volumes allows a possible symlink-exchange attack,
allowing a user whom can start multiple containers with custom volume mount
configurations to escape the container.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-19921
ghsas:
- GHSA-fh74-hm69-rqjw
credits:
- Leopold Schabel
references:
- fix: https://github.com/opencontainers/runc/pull/2207
- fix: https://github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
- web: https://github.com/opencontainers/runc/issues/2197
review_status: REVIEWED