rpm package
suse/runc&distro=SUSE Linux Enterprise Module for Containers 12
pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012
Vulnerabilities (29)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-45310 | Low | 3.6 | < 1.1.14-16.55.1 | 1.1.14-16.55.1 | Sep 3, 2024 | runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between | |
| CVE-2024-21626 | Hig | 8.6 | < 1.1.11-16.43.1 | 1.1.11-16.43.1 | Jan 31, 2024 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h | |
| CVE-2023-28642 | Med | 6.1 | < 1.1.5-16.29.1 | 1.1.5-16.29.1 | Mar 29, 2023 | runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibitin | |
| CVE-2023-25809 | Med | 5.0 | < 1.1.5-16.29.1 | 1.1.5-16.29.1 | Mar 29, 2023 | runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does n | |
| CVE-2023-27561 | Hig | 7.0 | < 1.1.5-16.29.1 | 1.1.5-16.29.1 | Mar 3, 2023 | runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this is | |
| CVE-2022-31030 | Med | 5.5 | < 1.1.3-16.21.1 | 1.1.3-16.21.1 | Jun 9, 2022 | containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume a | |
| CVE-2022-29162 | Med | 5.9 | < 1.1.3-16.21.1 | 1.1.3-16.21.1 | May 17, 2022 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environme | |
| CVE-2021-43784 | Med | 6.0 | < 1.0.3-16.18.1 | 1.0.3-16.18.1 | Dec 6, 2021 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespac | |
| CVE-2021-41091 | Med | 6.3 | < 1.0.2-16.14.1 | 1.0.2-16.14.1 | Oct 4, 2021 | Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivilege | |
| CVE-2021-41089 | Low | 2.8 | < 1.0.2-16.14.1 | 1.0.2-16.14.1 | Oct 4, 2021 | Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the h | |
| CVE-2021-41092 | Med | 5.4 | < 1.0.2-16.14.1 | 1.0.2-16.14.1 | Oct 4, 2021 | Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHel | |
| CVE-2021-41103 | Hig | 7.8 | < 1.0.2-16.14.1 | 1.0.2-16.14.1 | Oct 4, 2021 | containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to tra | |
| CVE-2021-32760 | Med | 5.0 | < 1.0.2-16.14.1 | 1.0.2-16.14.1 | Jul 19, 2021 | containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions | |
| CVE-2021-30465 | Hig | 8.5 | < 1.0.0~rc93-16.11.1 | 1.0.0~rc93-16.11.1 | May 27, 2021 | runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on | |
| CVE-2021-21334 | Med | 6.3 | < 1.0.0~rc93-16.8.1 | 1.0.0~rc93-16.8.1 | Mar 10, 2021 | In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may | |
| CVE-2021-21285 | Med | 6.5 | < 1.0.0~rc93-16.8.1 | 1.0.0~rc93-16.8.1 | Feb 2, 2021 | In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. | |
| CVE-2021-21284 | Med | 6.8 | < 1.0.0~rc93-16.8.1 | 1.0.0~rc93-16.8.1 | Feb 2, 2021 | In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesy | |
| CVE-2020-12912 | Med | 5.5 | < 1.1.10-16.40.1 | 1.1.10-16.40.1 | Nov 12, 2020 | A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require pr | |
| CVE-2020-8695 | Med | 5.5 | < 1.1.10-16.40.1 | 1.1.10-16.40.1 | Nov 12, 2020 | Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. | |
| CVE-2020-8694 | Med | 5.5 | < 1.1.10-16.40.1 | 1.1.10-16.40.1 | Nov 12, 2020 | Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. |
- affected < 1.1.14-16.55.1fixed 1.1.14-16.55.1
runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between
- affected < 1.1.11-16.43.1fixed 1.1.11-16.43.1
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h
- affected < 1.1.5-16.29.1fixed 1.1.5-16.29.1
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibitin
- affected < 1.1.5-16.29.1fixed 1.1.5-16.29.1
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does n
- affected < 1.1.5-16.29.1fixed 1.1.5-16.29.1
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this is
- affected < 1.1.3-16.21.1fixed 1.1.3-16.21.1
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume a
- affected < 1.1.3-16.21.1fixed 1.1.3-16.21.1
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environme
- affected < 1.0.3-16.18.1fixed 1.0.3-16.18.1
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespac
- affected < 1.0.2-16.14.1fixed 1.0.2-16.14.1
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivilege
- affected < 1.0.2-16.14.1fixed 1.0.2-16.14.1
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the h
- affected < 1.0.2-16.14.1fixed 1.0.2-16.14.1
Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHel
- affected < 1.0.2-16.14.1fixed 1.0.2-16.14.1
containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to tra
- affected < 1.0.2-16.14.1fixed 1.0.2-16.14.1
containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions
- affected < 1.0.0~rc93-16.11.1fixed 1.0.0~rc93-16.11.1
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on
- affected < 1.0.0~rc93-16.8.1fixed 1.0.0~rc93-16.8.1
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may
- affected < 1.0.0~rc93-16.8.1fixed 1.0.0~rc93-16.8.1
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
- affected < 1.0.0~rc93-16.8.1fixed 1.0.0~rc93-16.8.1
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesy
- affected < 1.1.10-16.40.1fixed 1.1.10-16.40.1
A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require pr
- affected < 1.1.10-16.40.1fixed 1.1.10-16.40.1
Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
- affected < 1.1.10-16.40.1fixed 1.1.10-16.40.1
Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
Page 1 of 2