Vulnerability Report: GO-2021-0070

CVE-2016-3697, GHSA-q3j5-32m5-58c2
Affects: github.com/opencontainers/runc
Published: Apr 14, 2021
Modified: Jun 12, 2023

GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

Affected Packages

Path

Versions

Symbols
github.com/opencontainers/runc/libcontainer/user

before v0.1.0
- GetExecUser
- GetExecUserPath

Aliases

CVE-2016-3697
GHSA-q3j5-32m5-58c2

References

https://github.com/opencontainers/runc/pull/708
https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091
https://github.com/docker/docker/issues/21436
http://rhn.redhat.com/errata/RHSA-2016-1034.html
http://rhn.redhat.com/errata/RHSA-2016-2634.html
https://security.gentoo.org/glsa/201612-28
https://vuln.go.dev/ID/GO-2021-0070.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL