CVE-2023-28642

runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.
Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*

History

07 Nov 2023, 04:10

Type Values Removed Values Added
Summary runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.

Information

Published : 2023-03-29 19:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-28642

Mitre link : CVE-2023-28642

CVE.ORG link : CVE-2023-28642


JSON object : View

Products Affected

linuxfoundation

  • runc
CWE
CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-281

Improper Preservation of Permissions