CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 1CVE-2019-15752 – Docker Desktop Community Edition Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-15752
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command. Docker Desktop Community Edition antes de 2.1.0.1 permite a los usuarios locales obtener privilegios al colocar un archivo trojan horse docker-credential-wincred.exe en% PROGRAMDATA% \ DockerDesktop \ version-bin \ como un usuario con pocos privilegios y luego esperar un administrador o usuario de servicio para identificarse con Docker, reiniciar Docker o ejecutar 'inicio de sesión de docker' para forzar el comando. Docker Desktop Community Edition contains a vulnerability that may allow local users to escalate privileges by placing a trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\. • https://www.exploit-db.com/exploits/48388 http://packetstormsecurity.com/files/157404/Docker-Credential-Wincred.exe-Privilege-Escalation.html https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E https://medium.com/%40morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-13139
https://notcve.org/view.php?id=CVE-2019-13139
In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag. En Docker versiones anteriores a 18.09.4, un atacante que sea capaz de suministrar o manipular la ruta de compilación para el comando "docker build" podría ser capaz de conseguir la ejecución de comandos. Existe un problema en la forma en que "docker build" procesa las URL de git remotas, y resulta en la inyección de comandos en el comando subyacente "git clone", lo que conlleva a la ejecución de código en el contexto del usuario ejecutando el comando "docker build". • https://access.redhat.com/errata/RHBA-2019:3092 https://docs.docker.com/engine/release-notes/#18094 https://github.com/moby/moby/pull/38944 https://seclists.org/bugtraq/2019/Sep/21 https://security.netapp.com/advisory/ntap-20190910-0001 https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build https://www.debian.org/security/2019/dsa-4521 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.3EPSS: 0%CPEs: 43EXPL: 21CVE-2019-5736 – runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout
https://notcve.org/view.php?id=CVE-2019-5736
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. runc, hasta la versión 1.0-rc6, tal y como se emplea en Docker, en versiones anteriores a la 18.09.2 y otros productos, permite que los atacantes sobrescriban el binario del host runc (y, así, obtengan acceso root al host) aprovechando la capacidad para ejecutar un comando como root con uno de estos tipos de contenedores: (1) un nuevo contenedor con una imagen controlada por el atacante o (2) un contenedor existente, para el cual el atacante contaba previamente con acceso de escritura, que puede adjuntarse con docker exec. Esto ocurre debido a la gestión incorrecta del descriptor de archivos; esto está relacionado con /proc/self/exe. A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. • https://github.com/Frichetten/CVE-2019-5736-PoC https://www.exploit-db.com/exploits/46369 https://www.exploit-db.com/exploits/46359 https://github.com/twistlock/RunC-CVE-2019-5736 https://github.com/jas502n/CVE-2019-5736 https://github.com/RyanNgWH/CVE-2019-5736-POC https://github.com/zyriuse75/CVE-2019-5736-PoC https://github.com/likescam/CVE-2019-5736 https://github.com/geropl/CVE-2019-5736 https://github.com/si1ent-le/CVE-2019-5736 https://github.com/ • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2017-14992
https://notcve.org/view.php?id=CVE-2017-14992
Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing. Una falta de verificación en Docker-CE (también conocido como Moby), en versiones 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0 y anteriores, permite que un atacante remoto provoque una denegación de servicio (DoS) mediante un payload de capa de imagen modificado. Esto también se conoce como gzip bombing. • https://blog.cloudpassage.com/2017/10/13/discovering-docker-cve-2017-14992 https://github.com/moby/moby/issues/35075 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0047
https://notcve.org/view.php?id=CVE-2014-0047
Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage. Las versiones anteriores a la 1.5 de Docker permiten que los usuarios locales provoquen un impacto sin especificar mediante vectores relacionados con el uso no seguro de /tmp. • http://www.openwall.com/lists/oss-security/2015/03/24/23 http://www.securityfocus.com/bid/73315 https://bugzilla.redhat.com/show_bug.cgi?id=1063549 •