CVE-2019-5736

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-5736
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-5736.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-5736
Downstream
Related
Published
2019-02-11T19:29:00Z
Modified
2025-10-13T08:57:24.521824Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

References

Affected packages

Git / github.com/docker-archive/docker-ce

Affected ranges

Type
GIT
Repo
https://github.com/docker-archive/docker-ce
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/docker/docker
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/docker/engine
Events
Type
GIT
Repo
https://github.com/lxc/lxc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/opencontainers/runc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Type
GIT
Repo
https://github.com/apache/mesos
Events

Affected versions

1.*

1.4.0
1.4.0-rc5
1.4.1
1.4.1-rc1
1.4.2
1.4.2-rc1
1.4.3-rc1

lxc-0.*

lxc-0.6.5
lxc-0.7.0
lxc-0.7.1
lxc-0.7.2
lxc-0.7.3
lxc-0.7.4
lxc-0.7.4-rc1
lxc-0.7.5
lxc-0.8.0
lxc-0.8.0-rc2
lxc-0.9.0
lxc-0.9.0.alpha1
lxc-0.9.0.alpha2
lxc-0.9.0.alpha3
lxc-0.9.0.rc1

lxc-1.*

lxc-1.0.0
lxc-1.0.0.alpha1
lxc-1.0.0.alpha2
lxc-1.0.0.alpha3
lxc-1.0.0.beta1
lxc-1.0.0.beta2
lxc-1.0.0.beta3
lxc-1.0.0.beta4
lxc-1.0.0.rc1
lxc-1.0.0.rc2
lxc-1.0.0.rc3
lxc-1.0.0.rc4
lxc-1.1.0
lxc-1.1.0.alpha1
lxc-1.1.0.alpha2
lxc-1.1.0.alpha3
lxc-1.1.0.rc1
lxc-1.1.0.rc2
lxc-1.1.0.rc3
lxc-1.1.0.rc4

lxc-2.*

lxc-2.0.0
lxc-2.0.0.beta1
lxc-2.0.0.beta2
lxc-2.0.0.rc1
lxc-2.0.0.rc10
lxc-2.0.0.rc11
lxc-2.0.0.rc12
lxc-2.0.0.rc13
lxc-2.0.0.rc14
lxc-2.0.0.rc15
lxc-2.0.0.rc2
lxc-2.0.0.rc3
lxc-2.0.0.rc4
lxc-2.0.0.rc5
lxc-2.0.0.rc6
lxc-2.0.0.rc7
lxc-2.0.0.rc8
lxc-2.0.0.rc9
lxc-2.1.0

lxc-3.*

lxc-3.0.0
lxc-3.0.0.beta1
lxc-3.0.0.beta2
lxc-3.0.0.beta3
lxc-3.0.0.beta4
lxc-3.1.0

Other

lxc_0_1_0
lxc_0_2_0
lxc_0_2_1
lxc_0_4_0
lxc_0_5_0
lxc_0_5_1
lxc_0_5_2
lxc_0_6_0
lxc_0_6_1
lxc_0_6_2
lxc_0_6_3
lxc_0_6_4

v0.*

v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1

v1.*

v1.0.0-rc1
v1.0.0-rc2
v1.0.0-rc3
v1.0.0-rc4
v1.0.0-rc5
v1.0.0-rc6

v18.*

v18.09.0
v18.09.0-beta3
v18.09.0-beta5
v18.09.0-ce-beta1
v18.09.0-ce-tp0
v18.09.0-ce-tp3
v18.09.0-ce-tp4
v18.09.0-ce-tp5
v18.09.0-ce-tp6
v18.09.0-rc1
v18.09.1
v18.09.1-beta1
v18.09.1-beta2
v18.09.1-rc1

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2019-5736-1cffac28",
            "source": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Line",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "206209469052802163709281360376397312675",
                    "48219882597669953983429687793407620753",
                    "213043235157353488768314210772726520178",
                    "251821556443359960608428361047721063429",
                    "93222659505421272286403399172694346479",
                    "107309039482126281655838517999257961732"
                ]
            },
            "target": {
                "file": "libcontainer/nsenter/nsexec.c"
            }
        },
        {
            "id": "CVE-2019-5736-c45baaa5",
            "source": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Function",
            "digest": {
                "length": 6892.0,
                "function_hash": "43249958159973239119332662430070161949"
            },
            "target": {
                "file": "libcontainer/nsenter/nsexec.c",
                "function": "nsexec"
            }
        }
    ]
}