Vulnerability identifier: #VU20501

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-15664

CWE-ID: CWE-22

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Docker
Server applications / Virtualization software

Vendor: Docker Inc.

Description

The vulnerability allows a local attacker to perform directory traversal attacks.

The vulnerability exists due to the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack. A local authenticated attacker can gain read-write access to the host filesystem with root privileges, because "daemon/archive.go" does not do archive operations on a frozen filesystem (or from within a chroot).

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Docker: All versions

---

External links
http://bugzilla.suse.com/show_bug.cgi?id=1096726
http://github.com/moby/moby/pull/39252

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.