vipinsun/fabric-token-sdk

CVE-2024-21626 (High) detected in github.com/opencontainers/runc-v1.0.1

Opened this issue · 0 comments

mend-bolt-for-github commented

CVE-2024-21626 - High Severity Vulnerability

Vulnerable Library - github.com/opencontainers/runc-v1.0.1

CLI tool for spawning and running containers according to the OCI specification

Library home page: https://proxy.golang.org/github.com/opencontainers/runc/@v/v1.0.1.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/hyperledger-labs/fabric-smart-client (Root Library)
    • github.com/Docker/Docker-v20.10.7+incompatible
      • github.com/opencontainers/runc-v1.0.1 (Vulnerable Library)

Found in HEAD commit: 999f5d255a183e22a067e6411929924a0bacd65f

Found in base branch: main

Vulnerability Details

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

Publish Date: 2024-01-31

URL: CVE-2024-21626

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xr7r-f8xq-vfvv

Release Date: 2024-01-31

Fix Resolution: github.com/opencontainers/runc-v1.1.12

Step up your Open Source Security Game with Mend here