Description
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.
References (8)
Core 8
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1034.html
Patch, Third Party Advisory x_refsource_confirm
https://github.com/opencontainers/runc/releases/tag/v0.1.0
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-05/msg00111.html
Patch, Third Party Advisory x_refsource_confirm
https://github.com/docker/docker/issues/21436
Third Party Advisory x_refsource_confirm
https://github.com/opencontainers/runc/pull/708
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2634.html
Third Party Advisory x_refsource_confirm
https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201612-28
Scores
CVSS v3
7.8
EPSS
0.0007
EPSS Percentile
21.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-264
Status
published
Products (4)
docker/docker
< 1.11.1
linuxfoundation/runc
< 0.0.9
opencontainers/runc
0 - 0.1.0Go
opensuse/opensuse
13.2
Published
Jun 01, 2016
Tracked Since
Feb 18, 2026