search

dgraph-io / dgraph

The database for modern applications. Common use cases: knowledge graphs for AI, fraud detection, personalization, and search. Built and maintained by @HypermodeInc.
https://dgraph.io
Other
20.47k stars 1.5k forks source link

Runc Go Module Vulnerabilities: CVE-2019-5736 #5570

Closed darkn3rd closed 4 years ago

darkn3rd commented 4 years ago

What version of Dgraph are you using?

Have you tried reproducing the issue with the latest release?

What is the hardware spec (RAM, OS)?

Steps to reproduce the issue (command/config used to run Dgraph).

Expected behaviour and actual result.

Expected no CVE Reports.

Got these results:

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2019-5736]  Containment Errors (Container Errors)                                           ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ runc through 1.0-rc6, as used in Docker before 18.09.2 and other products,  ┃
┃                    ┃ allows attackers to overwrite the host runc binary (and consequently obtain ┃
┃                    ┃ host root access) by leveraging the ability to execute a command as root    ┃
┃                    ┃ within one of these types of containers: (1) a new container with an        ┃
┃                    ┃ attacker-controlled image, or (2) an existing container, to which the       ┃
┃                    ┃ attacker previously had write access, that can be attached with docker      ┃
┃                    ┃ exec. This occurs because of file-descriptor mishandling, related to        ┃
┃                    ┃ /proc/self/exe.                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ d089f726-f419-4e72-ab60-05be37d02b68                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 8.6/10 (High)                                                               ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/d089f726-f419-4e72-ab60-05be37d02b68     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
darkn3rd commented 4 years ago

Closing to make one issue: https://github.com/dgraph-io/dgraph/issues/5569