Vulnerability Details : CVE-2018-15664
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
Vulnerability category: Directory traversal
Products affected by CVE-2018-15664
- cpe:2.3:a:docker:docker:17.06.2-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.2-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.07.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.0-ce:rc3:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.0-ce:rc4:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.0-ce:rc5:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.09.0-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.09.0-ce:rc3:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.09.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.09.1-ce-:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.12.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.12.1-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.12.1-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.12.1-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.03.1-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.04.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.04.0-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.04.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.05.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.1-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.1-ce:rc3:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.07.0-ce:rc4:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.09.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.09.1-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.10.0-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.12.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.12.0-ce:rc3:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.01.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.02.0-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.03.0-ce:rc4:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.03.1-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.05.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.06.0-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.07.0-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.11.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.11.0-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.11.0-ce:rc3:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.11.0-ce:rc4:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.11.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.02.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.03.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.03.0-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.03.0-ce:rc3:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.06.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.06.1-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.06.1-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.0-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.1-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.1-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.06.1-ce:rc4:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.07.0-ce:rc3:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.07.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.10.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.10.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.12.0-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:17.12.0-ce:rc4:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.01.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.02.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.03.0-ce:*:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.03.1-ce:rc2:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.06.0-ce:rc1:*:*:community:*:*:*
- cpe:2.3:a:docker:docker:18.06.0-ce:rc3:*:*:community:*:*:*
Threat overview for CVE-2018-15664
Top countries where our scanners detected CVE-2018-15664
Top open port discovered on systems with this issue
22
IPs affected by CVE-2018-15664 76
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2018-15664!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2018-15664
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 35 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-15664
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.2
|
MEDIUM | AV:L/AC:H/Au:N/C:C/I:C/A:C |
1.9
|
10.0
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
0.8
|
6.0
|
NIST |
CWE ids for CVE-2018-15664
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-15664
-
http://www.openwall.com/lists/oss-security/2019/08/21/1
oss-security - RE: CVE-2018-15664: docker (all versions) is vulnerable to a symlink-race attack
-
https://usn.ubuntu.com/4048-1/
USN-4048-1: Docker vulnerabilities | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00001.html
[security-announce] openSUSE-SU-2019:2044-1: moderate: Security update f
-
http://www.openwall.com/lists/oss-security/2019/05/28/1
oss-security - CVE-2018-15664: docker (all versions) is vulnerable to a symlink-race attackMailing List;Exploit;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1910
RHSA-2019:1910 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/108507
Docker CVE-2018-15664 Symlink Directory Traversal VulnerabilityThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00066.html
[security-announce] openSUSE-SU-2019:1621-1: moderate: Security update f
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-15664
CVE-2018-15664 | Docker Elevation of Privilege Vulnerability
-
https://access.redhat.com/security/cve/cve-2018-15664
CVE-2018-15664 - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.suse.com/show_bug.cgi?id=1096726
Bug 1096726 – VUL-0: CVE-2018-15664: docker: 'docker cp' is vulnerable to symlink-exchange race attacksIssue Tracking;Exploit;Third Party Advisory
-
https://github.com/moby/moby/pull/39252
daemon: archive: pause containers before doing filesystem operations by cyphar · Pull Request #39252 · moby/moby · GitHubIssue Tracking;Third Party Advisory
Jump to