CVE-2019-14271 : In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitc

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

Published 2019-07-29 18:15:11

Updated 2022-04-18 17:03:40

Source MITRE

View at NVD, CVE.org

Threat overview for CVE-2019-14271

Top countries where our scanners detected CVE-2019-14271

Top open port discovered on systems with this issue 2375

IPs affected by CVE-2019-14271 8

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2019-14271!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2019-14271

Probability of exploitation activity in the next 30 days: 1.60%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-14271

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-14271

CWE-665 Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-14271

https://seclists.org/bugtraq/2019/Sep/21

Bugtraq: [SECURITY] [DSA 4521-1] docker.io security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://docs.docker.com/engine/release-notes/

Docker Engine release notes | Docker Documentation
Release Notes;Third Party Advisory

CVEs referencing this url
https://github.com/moby/moby/issues/39449

docker 19.03-RC3: cp broken with debian containers (arm?) · Issue #39449 · moby/moby · GitHub
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190828-0003/

August 2019 Docker Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html

[security-announce] openSUSE-SU-2019:2021-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2019/dsa-4521

Debian -- Security Information -- DSA-4521-1 docker.io
Third Party Advisory

CVEs referencing this url

Products affected by CVE-2019-14271