Command Injection Affecting github.com/opencontainers/runc/libcontainer package, versions <1.0.0-rc7
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMOPENCONTAINERSRUNCLIBCONTAINER-6186508
- published 24 Jan 2024
- disclosed 11 Feb 2019
- credit Unknown
Introduced: 11 Feb 2019
CVE-2019-5736 Open this link in a new tabHow to fix?
Upgrade github.com/opencontainers/runc/libcontainer to version 1.0.0-rc7 or higher.
Overview
github.com/opencontainers/runc/libcontainer is a package for a modern container runtime.
Affected versions of this package are vulnerable to Command Injection runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.