CVE Vulnerability

CVE-2019-10147

rkt through version 1.30.0 does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are not limited by cgroups during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources.

6.9 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.4 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

7.7 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.1 / Impact : 6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/ Exploit Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10147 Issue Tracking Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:redhat:rkt:*:*:*:*:*:*:*:*
Information

Published : 2019-06-03 07:29

Updated : 2020-09-30 02:21

NVD link : CVE-2019-10147

Mitre link : CVE-2019-10147

Products Affected
No products.
CWE
CWE-862