CVE-2018-15664

HIGH

Docker through 18.06.1-ce-rc2 - Directory Traversal and Arbitrary File Write via Symlink Exchange

Title source: llm
STIX 2.1

Description

In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).

References (11)

Core 11
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.suse.com/show_bug.cgi?id=1096726
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/moby/moby/pull/39252
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/05/28/1
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/108507
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4048-1/
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1910
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/08/21/1

Scores

CVSS v3 7.5
EPSS 0.0340
EPSS Percentile 87.3%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-362
Status published
Products (14)
docker/docker 17.06.0-ce (6 CPE variants)
docker/docker 17.06.1-ce (5 CPE variants)
docker/docker 17.06.2-ce (2 CPE variants)
docker/docker 17.07.0-ce (5 CPE variants)
docker/docker 17.09.0-ce (4 CPE variants)
docker/docker 17.09.1-ce
docker/docker 17.09.1-ce- rc1
docker/docker 17.10.0-ce (3 CPE variants)
docker/docker 17.11.0-ce (5 CPE variants)
docker/docker 17.12.0-ce (5 CPE variants)
... and 4 more
Published May 23, 2019
Tracked Since Feb 18, 2026