CVE-2018-15664
docker: symlink-exchange race attacks in docker cp
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
En Docker hasta la versiĆ³n 18.06.1-ce-rc2, los endpoints API debajo del comando 'docker cp' son vulnerables a un ataque de de tipo symlink-exchange con salto de directorio, dando a los atacantes acceso arbitrario de lectura-escritura al sistema de archivos del host con privilegios de root, porque daemon/archive.go no genera operaciones de archivo en un filesystem congelado (o desde dentro de una operaciĆ³n chroot).
A flaw was discovered in the API endpoint behind the 'docker cp' command. The endpoint is vulnerable to a Time Of Check to Time Of Use (TOCTOU) vulnerability in the way it handles symbolic links inside a container. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-08-21 CVE Reserved
- 2019-05-23 CVE Published
- 2024-05-16 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CAPEC
References (13)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2019/08/21/1 | Mailing List |
|
| http://www.securityfocus.com/bid/108507 | Third Party Advisory | |
| https://access.redhat.com/security/cve/cve-2018-15664 | Third Party Advisory | |
| https://github.com/moby/moby/pull/39252 | Issue Tracking | |
| https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-15664 | X_refsource_confirm |
|
| URL | Date | SRC |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2019/05/28/1 | 2024-08-05 | |
| https://bugzilla.suse.com/show_bug.cgi?id=1096726 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00066.html | 2019-06-25 | |
| http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00001.html | 2019-06-25 | |
| https://access.redhat.com/errata/RHSA-2019:1910 | 2019-06-25 | |
| https://usn.ubuntu.com/4048-1 | 2019-06-25 | |
| https://access.redhat.com/security/cve/CVE-2018-15664 | 2019-07-29 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1714722 | 2019-07-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.0-ce Search vendor "Docker" for product "Docker" and version "17.06.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.0-ce Search vendor "Docker" for product "Docker" and version "17.06.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.0-ce Search vendor "Docker" for product "Docker" and version "17.06.0-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.0-ce Search vendor "Docker" for product "Docker" and version "17.06.0-ce" | rc3, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.0-ce Search vendor "Docker" for product "Docker" and version "17.06.0-ce" | rc4, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.0-ce Search vendor "Docker" for product "Docker" and version "17.06.0-ce" | rc5, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.1-ce Search vendor "Docker" for product "Docker" and version "17.06.1-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.1-ce Search vendor "Docker" for product "Docker" and version "17.06.1-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.1-ce Search vendor "Docker" for product "Docker" and version "17.06.1-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.1-ce Search vendor "Docker" for product "Docker" and version "17.06.1-ce" | rc3, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.1-ce Search vendor "Docker" for product "Docker" and version "17.06.1-ce" | rc4, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.2-ce Search vendor "Docker" for product "Docker" and version "17.06.2-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.06.2-ce Search vendor "Docker" for product "Docker" and version "17.06.2-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.07.0-ce Search vendor "Docker" for product "Docker" and version "17.07.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.07.0-ce Search vendor "Docker" for product "Docker" and version "17.07.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.07.0-ce Search vendor "Docker" for product "Docker" and version "17.07.0-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.07.0-ce Search vendor "Docker" for product "Docker" and version "17.07.0-ce" | rc3, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.07.0-ce Search vendor "Docker" for product "Docker" and version "17.07.0-ce" | rc4, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.09.0-ce Search vendor "Docker" for product "Docker" and version "17.09.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.09.0-ce Search vendor "Docker" for product "Docker" and version "17.09.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.09.0-ce Search vendor "Docker" for product "Docker" and version "17.09.0-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.09.0-ce Search vendor "Docker" for product "Docker" and version "17.09.0-ce" | rc3, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.09.1-ce Search vendor "Docker" for product "Docker" and version "17.09.1-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.09.1-ce- Search vendor "Docker" for product "Docker" and version "17.09.1-ce-" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.10.0-ce Search vendor "Docker" for product "Docker" and version "17.10.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.10.0-ce Search vendor "Docker" for product "Docker" and version "17.10.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.10.0-ce Search vendor "Docker" for product "Docker" and version "17.10.0-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.11.0-ce Search vendor "Docker" for product "Docker" and version "17.11.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.11.0-ce Search vendor "Docker" for product "Docker" and version "17.11.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.11.0-ce Search vendor "Docker" for product "Docker" and version "17.11.0-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.11.0-ce Search vendor "Docker" for product "Docker" and version "17.11.0-ce" | rc3, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.11.0-ce Search vendor "Docker" for product "Docker" and version "17.11.0-ce" | rc4, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.12.0-ce Search vendor "Docker" for product "Docker" and version "17.12.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.12.0-ce Search vendor "Docker" for product "Docker" and version "17.12.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.12.0-ce Search vendor "Docker" for product "Docker" and version "17.12.0-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.12.0-ce Search vendor "Docker" for product "Docker" and version "17.12.0-ce" | rc3, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.12.0-ce Search vendor "Docker" for product "Docker" and version "17.12.0-ce" | rc4, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.12.1-ce Search vendor "Docker" for product "Docker" and version "17.12.1-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.12.1-ce Search vendor "Docker" for product "Docker" and version "17.12.1-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 17.12.1-ce Search vendor "Docker" for product "Docker" and version "17.12.1-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.01.0-ce Search vendor "Docker" for product "Docker" and version "18.01.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.01.0-ce Search vendor "Docker" for product "Docker" and version "18.01.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.02.0-ce Search vendor "Docker" for product "Docker" and version "18.02.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.02.0-ce Search vendor "Docker" for product "Docker" and version "18.02.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.02.0-ce Search vendor "Docker" for product "Docker" and version "18.02.0-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.03.0-ce Search vendor "Docker" for product "Docker" and version "18.03.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.03.0-ce Search vendor "Docker" for product "Docker" and version "18.03.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.03.0-ce Search vendor "Docker" for product "Docker" and version "18.03.0-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.03.0-ce Search vendor "Docker" for product "Docker" and version "18.03.0-ce" | rc3, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.03.0-ce Search vendor "Docker" for product "Docker" and version "18.03.0-ce" | rc4, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.03.1-ce Search vendor "Docker" for product "Docker" and version "18.03.1-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.03.1-ce Search vendor "Docker" for product "Docker" and version "18.03.1-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.03.1-ce Search vendor "Docker" for product "Docker" and version "18.03.1-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.04.0-ce Search vendor "Docker" for product "Docker" and version "18.04.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.04.0-ce Search vendor "Docker" for product "Docker" and version "18.04.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.04.0-ce Search vendor "Docker" for product "Docker" and version "18.04.0-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.05.0-ce Search vendor "Docker" for product "Docker" and version "18.05.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.05.0-ce Search vendor "Docker" for product "Docker" and version "18.05.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.06.0-ce Search vendor "Docker" for product "Docker" and version "18.06.0-ce" | community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.06.0-ce Search vendor "Docker" for product "Docker" and version "18.06.0-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.06.0-ce Search vendor "Docker" for product "Docker" and version "18.06.0-ce" | rc2, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.06.0-ce Search vendor "Docker" for product "Docker" and version "18.06.0-ce" | rc3, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.06.1-ce Search vendor "Docker" for product "Docker" and version "18.06.1-ce" | rc1, community |
Affected
| ||||||
| Docker Search vendor "Docker" | Docker Search vendor "Docker" for product "Docker" | 18.06.1-ce Search vendor "Docker" for product "Docker" and version "18.06.1-ce" | rc2, community |
Affected
| ||||||