#VU40066 Permissions, Privileges, and Access Controls in Docker
Vulnerability identifier: #VU40066
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Docker
Server applications /
Virtualization software
Vendor: Docker Inc.
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Docker: 1.12.2
External links
http://www.securityfocus.com/bid/94228
http://www.securitytracker.com/id/1037203
http://www.docker.com/docker-cve-database
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
