{"id":"GO-2021-0085","summary":"Authorization bypass in github.com/opencontainers/runc","details":"AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.","aliases":["CVE-2019-16884","GHSA-fgv8-vj5c-2ppq"],"modified":"2026-03-17T04:05:43.302971Z","published":"2021-04-14T20:04:52Z","related":["CGA-x28q-hfg9-3p5x"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2021-0085"},"references":[{"type":"FIX","url":"https://github.com/opencontainers/runc/pull/2130"},{"type":"FIX","url":"https://github.com/opencontainers/runc/commit/cad42f6e0932db0ce08c3a3d9e89e6063ec283e4"},{"type":"FIX","url":"https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da"},{"type":"WEB","url":"https://github.com/opencontainers/runc/issues/2128"}],"affected":[{"package":{"name":"github.com/opencontainers/runc","ecosystem":"Go","purl":"pkg:golang/github.com/opencontainers/runc"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.0.0-rc8.0.20190930145003-cad42f6e0932"}]}],"ecosystem_specific":{"imports":[{"symbols":["ApplyProfile"],"path":"github.com/opencontainers/runc/libcontainer/apparmor"},{"symbols":["CloseExecFrom"],"path":"github.com/opencontainers/runc/libcontainer/utils"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0085.json"}},{"package":{"name":"github.com/opencontainers/selinux","ecosystem":"Go","purl":"pkg:golang/github.com/opencontainers/selinux"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.3.1-0.20190929122143-5215b1806f52"}]}],"ecosystem_specific":{"imports":[{"symbols":["readCon","writeCon"],"path":"github.com/opencontainers/selinux/go-selinux"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0085.json"}}],"schema_version":"1.7.5","credits":[{"name":"Leopold Schabel"}]}