{"id":"CVE-2019-16884","details":"runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.","aliases":["GHSA-fgv8-vj5c-2ppq","GO-2021-0085"],"modified":"2026-05-11T12:05:21.334711Z","published":"2019-09-25T18:15:13.057Z","related":["ALSA-2019:4269","CGA-x28q-hfg9-3p5x","SUSE-SU-2019:2786-1","SUSE-SU-2019:2787-1","SUSE-SU-2019:2810-1","SUSE-SU-2020:0035-1","SUSE-SU-2020:0065-1","SUSE-SU-2021:1458-1","openSUSE-SU-2019:2418-1","openSUSE-SU-2019:2434-1","openSUSE-SU-2020:0045-1","openSUSE-SU-2024:11358-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"4.1"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"4.2"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"19.10"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"29"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"30"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"31"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.1"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.0"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.1"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.2"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.4"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.2"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.4"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.2"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"8.4"}],"source":"CPE_FIELD"}]},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00016.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62OQ2P7K5YDZ5BRCH2Q6DHUJIHQD3QCD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGK6IV5JGVDXHOXEKJOJWKOVNZLT6MYR/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPK4JWP32BUIVDJ3YODZSOEVEW6BHQCF/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00073.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00009.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00010.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3940"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4074"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4269"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-21"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220221-0004/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4297-1/"},{"type":"REPORT","url":"https://github.com/opencontainers/runc/issues/2128"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/moby/moby","events":[{"introduced":"0"},{"last_affected":"ed20165a37b40ff1cfbe55e218344c5e89f30ee2"},{"last_affected":"63df8cf4b5d6473291eaf499107825c41af3b5e4"}],"database_specific":{"cpe":["cpe:2.3:a:docker:docker:*:*:*:*:community:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"19.03.2"},{"last_affected":"18.04"}],"source":"CPE_FIELD"}}],"versions":["0.0.3","docs-v1.12.0-rc4-2016-07-15","upstream/0.1.2","upstream/0.1.3","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.3.1","v0.3.2","v0.4.1","v0.4.2","v0.4.4","v0.4.5","v0.4.7","v0.5.0","v0.6.5","v0.7.0","v0.7.1","v0.7.2","v18.04.0-ce","v18.04.0-ce-rc2","v18.06.0-ce-rc1","v18.09.0-ce-tp0","v19.03.0","v19.03.0-beta1","v19.03.0-beta2","v19.03.0-beta3","v19.03.0-beta4","v19.03.0-beta5","v19.03.0-rc2","v19.03.0-rc3","v19.03.1","v19.03.2","v19.03.2-beta1","v19.03.2-rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-16884.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/opencontainers/runc","events":[{"introduced":"2598484b97994f61781e4f40b9782e0809e4e2c2"},{"last_affected":"baf6536d6259209c3edfa2b22237af82942d3dfa"},{"introduced":"0"},{"last_affected":"04f275d4601ca7e5ff9460cec7f65e8dd15443ec"},{"last_affected":"c91b5bea4830a57eac7882d7455d59518cdf70ec"},{"last_affected":"75f8da7c889acc4509a0cf6f0d3a8f9584778375"},{"last_affected":"2e7cfe036e2c6dc51ccca6eb7fa3ee6b63976dcd"},{"last_affected":"4fc53a81fb7c994640722ac585fa9ca548971871"},{"last_affected":"ccb5efd37fb7c86364786e9137e22948751de7ed"},{"last_affected":"69ae5da6afdcaaf38285a10b36f362e41cb298d6"},{"last_affected":"425e105d5a03fabd737a126ad93d62a9eeede87f"}],"database_specific":{"cpe":["cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*","cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*","cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*","cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*","cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*","cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*","cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*","cpe:2.3:a:linuxfoundation:runc:1.0.0:rc7:*:*:*:*:*:*","cpe:2.3:a:linuxfoundation:runc:1.0.0:rc8:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0.0.1"},{"last_affected":"0.1.1"},{"introduced":"0"},{"last_affected":"1.0.0-rc1"},{"last_affected":"1.0.0-rc2"},{"last_affected":"1.0.0-rc3"},{"last_affected":"1.0.0-rc4"},{"last_affected":"1.0.0-rc5"},{"last_affected":"1.0.0-rc6"},{"last_affected":"1.0.0-rc7"},{"last_affected":"1.0.0-rc8"}],"source":"CPE_FIELD"}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.1.0","v0.1.1","v1.0.0-rc1","v1.0.0-rc2","v1.0.0-rc3","v1.0.0-rc4","v1.0.0-rc5","v1.0.0-rc6","v1.0.0-rc7","v1.0.0-rc8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-16884.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}