#VU20501 Path traversal in Docker - CVE-2018-15664

Cybersecurity Help s.r.o.

Published: 2019-09-02

Vulnerability identifier: #VU20501

Vulnerability risk: Low

CVSSv4.0: 5.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-15664

CWE-ID: CWE-22

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Docker
Server applications / Virtualization software

Vendor: Docker Inc.

Description

The vulnerability allows a local attacker to perform directory traversal attacks.

The vulnerability exists due to the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack. A local authenticated attacker can gain read-write access to the host filesystem with root privileges, because "daemon/archive.go" does not do archive operations on a frozen filesystem (or from within a chroot).

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Docker: All versions

External links
https://bugzilla.suse.com/show_bug.cgi?id=1096726
https://github.com/moby/moby/pull/39252

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for podman, slirp4netns and libcontainers-common

Red Hat update for docker

Amazon Linux AMI update for docker

Path traversal in docker (Alpine package)

OpenSUSE Linux update for docker

Multiple vulnerabilities in IBM Cloud Automation Manager