CGA-hqm9-wq7w-hpgg

Published

Last updated

https://images.chainguard.dev/security/CGA-hqm9-wq7w-hpgg

Package

podman

Latest Update

Fixed

Fixed Version

5.2.2-r1

Aliases

CVE-2023-28642
GHSA-g2j6-57v7-gm8c

Severity

7.8

High

CVSS V3

Summary

runc AppArmor bypass with symlinked /proc

Description

Impact

It was found that AppArmor, and potentially SELinux, can be bypassed when /proc inside the container is symlinked with a specific mount configuration.

Patches

Fixed in runc v1.1.5, by prohibiting symlinked /proc: https://github.com/opencontainers/runc/pull/3785

This PR fixes CVE-2023-27561 as well.

Workarounds

Avoid using an untrusted container image.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-28642
https://github.com/advisories/GHSA-g2j6-57v7-gm8c
https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c
https://github.com/opencontainers/runc/pull/3785
https://github.com/opencontainers/runc
https://security.netapp.com/advisory/ntap-20241206-0005

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-hqm9-wq7w-hpgg

Severity

Summary

Description

Impact

Patches

Workarounds

References

Updates

Product

Why Chainguard

Customers

Company

Resources