CVE-2018-15664

In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
Configurations

Configuration 1

cpe:2.3:a:docker:docker:17.06.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:rc5:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.1-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.2-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.06.2-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.07.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.1-ce-:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.09.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.10.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.10.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.10.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.11.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.1-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:17.12.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.01.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.01.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.02.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.02.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.02.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:rc4:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.1-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.03.1-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.04.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.04.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.04.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.05.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.05.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:rc2:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:rc3:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.0-ce:*:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.1-ce:rc1:*:*:community:*:*:*
cpe:2.3:a:docker:docker:18.06.1-ce:rc2:*:*:community:*:*:*

Information

Published : 2019-05-23 02:29

Updated : 2019-06-25 12:15


NVD link : CVE-2018-15664

Mitre link : CVE-2018-15664

Products Affected
No products.
CWE