{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-25809", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-02-15T16:34:48.772Z", "datePublished": "2023-03-29T18:22:56.875Z", "dateUpdated": "2025-02-12T16:02:24.090Z"}, "containers": {"cna": {"title": "rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc", "problemTypes": [{"descriptions": [{"cweId": "CWE-281", "lang": "en", "description": "CWE-281: Improper Preservation of Permissions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc"}, {"name": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17", "tags": ["x_refsource_MISC"], "url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17"}], "affected": [{"vendor": "opencontainers", "product": "runc", "versions": [{"version": "< 1.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-29T18:22:56.875Z"}, "descriptions": [{"lang": "en", "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.\n"}], "source": {"advisory": "GHSA-m8cg-xc2p-r3fc", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:32:12.344Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc"}, {"name": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-12T16:02:19.074002Z", "id": "CVE-2023-25809", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T16:02:24.090Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-25809", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-02-15T16:34:48.772Z", "datePublished": "2023-03-29T18:22:56.875Z", "dateUpdated": "2025-02-12T16:02:24.090Z"}, "containers": {"cna": {"title": "rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc", "problemTypes": [{"descriptions": [{"cweId": "CWE-281", "lang": "en", "description": "CWE-281: Improper Preservation of Permissions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc"}, {"name": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17", "tags": ["x_refsource_MISC"], "url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17"}], "affected": [{"vendor": "opencontainers", "product": "runc", "versions": [{"version": "< 1.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-29T18:22:56.875Z"}, "descriptions": [{"lang": "en", "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.\n"}], "source": {"advisory": "GHSA-m8cg-xc2p-r3fc", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:32:12.344Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc"}, {"name": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-25809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-12T16:02:19.074002Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T16:02:04.365Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE0C5D34-F78A-4993-AC70-25A6606FC82B", "versionEndExcluding": "1.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.\n"}], "id": "CVE-2023-25809", "lastModified": "2024-11-21T07:50:14.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 3.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-29T19:15:22.170", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-281"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:6938", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:4.0-8090020230828093056.e7857ab1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:6939", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:rhel8-8090020230825121312.e7857ab1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:6380", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "runc-4:1.1.9-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2023:1326", "cpe": "cpe:/a:redhat:openshift:4.13::el8", "package": "openshift4/ose-vsphere-csi-driver-syncer-rhel8:v4.13.0-202304190216.p0.g6f4295b.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2023-05-17T00:00:00Z"}], "bugzilla": {"description": "runc: Rootless runc makes `/sys/fs/cgroup` writable", "id": "2182884", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182884"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-276", "details": ["runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.", "A flaw was found in runc, where it is vulnerable to a denial of service caused by improper access control in the /sys/fs/cgroup endpoint. This flaw allows a local authenticated attacker to cause a denial of service."], "mitigation": {"lang": "en:us", "value": "Condition 1: Unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts.\nCondition 2 (very rare): add /sys/fs/cgroup to maskedPaths"}, "name": "CVE-2023-25809", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "runc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "container-tools:3.0/runc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "runc", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "microshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-pod", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-tests", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "runc", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2023-03-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-25809\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-25809\nhttps://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17\nhttps://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-276: Incorrect Default Permissions vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nAccess enforcement ensures that only authorized users can access system resources, reducing the risk of exploited default permissions. Remote access controls further limit exposure by blocking unauthorized external access, preventing attackers from leveraging misconfigured permissions. Baseline and configuration setting controls enforce secure defaults, reducing the likelihood of weak permissions at deployment. Access restrictions for change ensure only authorized personnel can modify system configurations, preventing accidental or malicious security weaknesses. Together, these controls mitigate the risk of unauthorized access, privilege escalation, and exploitation of insecure default permissions.", "threat_severity": "Moderate"}

{}