How severe is CVE-2023-25809?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.3 out of 10.

What type of vulnerability is CVE-2023-25809?

This is classified as CWE-281, which is a common weakness in software security.

CVE-2023-25809

MEDIUM Year: 2023

CVSS v3 Score

6.3

Medium

Weakness Type

CWE-281

View all →

Vulnerability Description

runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.

CVE-2021-41089

MEDIUM

CVSS:6.3(Medium)

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted ...

CWE-2812021

CVE-2021-41091

MEDIUM

CVSS:6.3(Medium)

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirect...

CWE-2812021

CVE-2023-2993

MEDIUM

CVSS:6.3(Medium)

A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the ...

CWE-2812023

CVE-2024-28152

MEDIUM

CVSS:6.3(Medium)

In Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, when discovering pull requests from forks, the trust policy "Forks in the same account" allo...

CWE-2812024

CVE-2024-50929

MEDIUM

CVSS:6.2(Medium)

Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to arbitrarily change the device type in the controller's memory, leading to a Denial of Service (DoS).

CWE-2812024

CVE-2021-3418

MEDIUM

CVSS:6.4(Medium)

If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboot...

CWE-2812021

CVE-2023-25809

Vulnerability Description

Related Vulnerabilities

CVE-2021-41089

CVE-2021-41091

CVE-2023-2993

CVE-2024-28152

CVE-2024-50929

CVE-2021-3418