{"id":"CVE-2019-19921","details":"runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)","aliases":["GHSA-fh74-hm69-rqjw","GO-2021-0087"],"modified":"2026-04-16T04:36:55.224935798Z","published":"2020-02-12T15:15:12.210Z","related":["ALSA-2020:1650","ALSA-2023:6380","ALSA-2023:6938","ALSA-2023:6939","CGA-9m6c-x7j6-hq56","SUSE-SU-2020:0375-1","SUSE-SU-2020:0376-1","SUSE-SU-2020:0944-1","SUSE-SU-2021:1458-1","openSUSE-SU-2020:0219-1","openSUSE-SU-2024:11358-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0688"},{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2019-19921"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-21"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4297-1/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0695"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html"},{"type":"ADVISORY","url":"https://github.com/opencontainers/runc/releases"},{"type":"REPORT","url":"https://github.com/opencontainers/runc/pull/2190"},{"type":"FIX","url":"https://github.com/opencontainers/runc/issues/2197"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opencontainers/runc","events":[{"introduced":"0"},{"last_affected":"baf6536d6259209c3edfa2b22237af82942d3dfa"},{"introduced":"0"},{"last_affected":"04f275d4601ca7e5ff9460cec7f65e8dd15443ec"},{"introduced":"0"},{"last_affected":"c91b5bea4830a57eac7882d7455d59518cdf70ec"},{"introduced":"0"},{"last_affected":"75f8da7c889acc4509a0cf6f0d3a8f9584778375"},{"introduced":"0"},{"last_affected":"2e7cfe036e2c6dc51ccca6eb7fa3ee6b63976dcd"},{"introduced":"0"},{"last_affected":"4fc53a81fb7c994640722ac585fa9ca548971871"},{"introduced":"0"},{"last_affected":"ccb5efd37fb7c86364786e9137e22948751de7ed"},{"introduced":"0"},{"last_affected":"69ae5da6afdcaaf38285a10b36f362e41cb298d6"},{"introduced":"0"},{"last_affected":"425e105d5a03fabd737a126ad93d62a9eeede87f"},{"introduced":"0"},{"last_affected":"d736ef14f0288d6993a1845745d6756cfc9ddd5a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.1.1"},{"introduced":"0"},{"last_affected":"1.0.0-rc1"},{"introduced":"0"},{"last_affected":"1.0.0-rc2"},{"introduced":"0"},{"last_affected":"1.0.0-rc3"},{"introduced":"0"},{"last_affected":"1.0.0-rc4"},{"introduced":"0"},{"last_affected":"1.0.0-rc5"},{"introduced":"0"},{"last_affected":"1.0.0-rc6"},{"introduced":"0"},{"last_affected":"1.0.0-rc7"},{"introduced":"0"},{"last_affected":"1.0.0-rc8"},{"introduced":"0"},{"last_affected":"1.0.0-rc9"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.1.0","v0.1.1","v1.0.0-rc1","v1.0.0-rc2","v1.0.0-rc3","v1.0.0-rc4","v1.0.0-rc5","v1.0.0-rc6","v1.0.0-rc7","v1.0.0-rc8","v1.0.0-rc9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.10"}]},{"events":[{"introduced":"0"},{"last_affected":"4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19921.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}