{"id":"GO-2021-0070","summary":"Privilege escalation in github.com/opencontainers/runc","details":"GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.","aliases":["CVE-2016-3697","GHSA-q3j5-32m5-58c2"],"modified":"2026-03-17T04:05:44.956273Z","published":"2021-04-14T20:04:52Z","related":["CGA-93mr-rgfh-pxq2"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2021-0070"},"references":[{"type":"FIX","url":"https://github.com/opencontainers/runc/pull/708"},{"type":"FIX","url":"https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091"},{"type":"WEB","url":"https://github.com/docker/docker/issues/21436"},{"type":"WEB","url":"http://rhn.redhat.com/errata/RHSA-2016-1034.html"},{"type":"WEB","url":"http://rhn.redhat.com/errata/RHSA-2016-2634.html"},{"type":"WEB","url":"https://security.gentoo.org/glsa/201612-28"}],"affected":[{"package":{"name":"github.com/opencontainers/runc","ecosystem":"Go","purl":"pkg:golang/github.com/opencontainers/runc"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.1.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["GetExecUser","GetExecUserPath"],"path":"github.com/opencontainers/runc/libcontainer/user"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0070.json"}}],"schema_version":"1.7.5"}