CVE-2023-28642
Public on 2023-03-29
Modified on 2025-09-23
Description
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | runc | No Fix Planned | ||
| Amazon Linux 2 - Docker Extra | runc | 2023-05-31 | ALAS2DOCKER-2023-025 | Fixed |
| Amazon Linux 2 - Ecs Extra | runc | 2023-05-31 | ALAS2ECS-2023-004 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | runc | 2023-05-31 | ALAS2NITRO-ENCLAVES-2023-024 | Fixed |
| Amazon Linux 2023 | runc | 2023-06-12 | ALAS2023-2023-208 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
| NVD | CVSSv3 | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |