VYPR

rpm package

suse/runc&distro=SUSE Linux Enterprise Module for Containers 12

pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012

Vulnerabilities (29)

  • CVE-2019-19921HigFeb 12, 2020
    affected < 1.0.0~rc93-16.8.1fixed 1.0.0~rc93-16.8.1

    runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vul

  • CVE-2019-16884HigSep 25, 2019
    affected < 1.0.0~rc93-16.8.1fixed 1.0.0~rc93-16.8.1

    runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

  • CVE-2019-5736HigFeb 11, 2019
    affected < 1.0.0~rc93-16.8.1fixed 1.0.0~rc93-16.8.1

    runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new conta

  • CVE-2018-16875MedDec 14, 2018
    affected < 1.0.0~rc93-16.8.1fixed 1.0.0~rc93-16.8.1

    The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates

  • CVE-2018-16874HigDec 14, 2018
    affected < 1.0.0~rc93-16.8.1fixed 1.0.0~rc93-16.8.1

    In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but

  • CVE-2018-16873HigDec 14, 2018
    affected < 1.0.0~rc93-16.8.1fixed 1.0.0~rc93-16.8.1

    In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPA

  • CVE-2017-8932MedJul 6, 2017
    affected < 0.1.1+gitr2947_9c2d8d1-20.3fixed 0.1.1+gitr2947_9c2d8d1-20.3

    A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input

  • CVE-2016-9962MedJan 31, 2017
    affected < 0.1.1+gitr2819_50a19c6-15.2fixed 0.1.1+gitr2819_50a19c6-15.2

    RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to conta

  • CVE-2016-8867HigOct 28, 2016
    affected < 0.1.1+gitr2816_02f8fa7-9.1fixed 0.1.1+gitr2816_02f8fa7-9.1

    Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.

Page 2 of 2