Fedora EPEL 6 update for docker-io
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2014-6407 CVE-2014-6408 |
| CWE-ID | CWE-59 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system docker-io Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Link following
EUVDB-ID: #VU32458
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2014-6407
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 6.0
docker-io: before 1.3.2-2.el6
CPE2.3- cpe:2.3:o:fedoraproject:fedora:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:docker-io:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-4281
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU32459
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2014-6408
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 6.0
docker-io: before 1.3.2-2.el6
CPE2.3- cpe:2.3:o:fedoraproject:fedora:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:docker-io:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-4281
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
