Cyphar

**Name of the Vulnerable Software and Affected Versions** runc versions 1.1.11 and earlier **Description** The issue is related to an internal file descriptor leak in runc, which allows an attacker to cause a newly-spawned container process to have a working directory in the host filesystem namespace. This can lead to a container escape, giving access to the host filesystem. The same attack can be used by a malicious image to allow a container process to gain access to the host filesystem through runc run. Variants of these attacks can also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes. It is estimated that at least 80% of cloud environments are exposed to this issue. **Recommendations** For runc versions 1.1.11 and earlier, update to runc version 1.1.12 to address the issue. If you are using containerd, update to version 1.6.28 or 1.7.13, which include the patched runc version. For Docker, update to version 24.0.9 or 25.0.2. As a temporary workaround, consider restricting access to the vulnerable `process.cwd` and `process.args` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 14.0.0 **Description** The issue concerns a missing state in the software that fails to enforce the use of a second factor at login if the provider of the second factor fails to load. **Recommendations** For versions prior to 14.0.0, update to version 14.0.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** runc versions through 1.0.0-rc9 runc version 1.0.0-rc10 is not affected, as it contains the fix for this issue. **Description** The issue is related to incorrect access control, leading to escalation of privileges. An attacker must be able to spawn two containers with custom volume-mount configurations and run custom images to exploit this. The vulnerability is related to libcontainer/rootfs linux.go. By crafting a malicious root filesystem, an attacker can trick runc into not correctly configuring the container's security labels and not correctly masking paths inside /proc, which contain potentially-sensitive information about the host. This could allow for direct attacks against the host. **Recommendations** For runc versions through 1.0.0-rc9, update to version 1.0.0-rc10 to resolve the issue. As a temporary workaround, consider restricting access to custom volume mount configurations and custom images to minimize the risk of exploitation. Review access policies to ensure that untrusted users do not have high levels of control over container mount configuration.