Main Vulnerability Database Exploits ID:4750 - Exploit for Deserialization of Untrusted Data in Docker - CVE-2018-15514

ID:4750 - Exploit for Deserialization of Untrusted Data in Docker - CVE-2018-15514

Published: October 27, 2020

Vulnerability identifier: #VU36754

Vulnerability risk: High

CVE-ID: CVE-2018-15514

CWE-ID: CWE-502

Exploitation vector: Remote access

Vulnerable software:
Docker

Link to public exploit:

https://srcincite.io/pocs/src-2018-0026.py.txt

Vulnerability description

The vulnerability allows a remote authenticated user to execute arbitrary code.

HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \.pipedockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the "docker-users" group (who may not otherwise have administrator access) to escalate to administrator privileges.

Remediation

Install update from vendor's website.

ID:4750 - Exploit for Deserialization of Untrusted Data in Docker - CVE-2018-15514

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human