Description
Advisory CVE-2024-45310 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/opencontainers/runc |
Description:
runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with os.MkdirAll. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of plac...
References:
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-45310
- FIX: opencontainers/runc@63c2908
- FIX: opencontainers/runc@8781993
- FIX: opencontainers/runc@f0b652e
- FIX: rootfs: consolidate mountpoint creation logic opencontainers/runc#4359
- WEB: GHSA-jfvp-7x6p-h2pv
Cross references:
- github.com/opencontainers/runc appears in 12 other report(s):
- data/reports/GO-2021-0070.yaml (dummy issue #70)
- data/reports/GO-2021-0085.yaml (dummy issue #85)
- data/reports/GO-2021-0087.yaml (dummy issue #87)
- data/reports/GO-2022-0274.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2021-43784 #274)
- data/reports/GO-2022-0396.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-g54h-m393-cpwq #396)
- data/reports/GO-2022-0452.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2022-29162 #452)
- data/reports/GO-2022-0835.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-gp4j-w3vj-7299 #835)
- data/reports/GO-2022-0914.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2021-30465, GHSA-c3xm-pvg7-gh7r #914)
- data/reports/GO-2023-1627.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-vpvm-3wq2-2wvm #1627)
- data/reports/GO-2023-1682.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2023-25809 #1682)
- data/reports/GO-2023-1683.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2023-28642 #1683)
- data/reports/GO-2024-2491.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2024-21626 #2491)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/opencontainers/runc
vulnerable_at: 1.1.14
summary: CVE-2024-45310 in github.com/opencontainers/runc
cves:
- CVE-2024-45310
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45310
- fix: https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7
- fix: https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e
- fix: https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf
- fix: https://github.com/opencontainers/runc/pull/4359
- web: https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv
source:
id: CVE-2024-45310
created: 2024-09-03T21:01:24.412308071Z
review_status: UNREVIEWED