CVE-2018-15664
- Source
- https://cve.org/CVERecord?id=CVE-2018-15664
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-15664.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2018-15664
- Downstream
- Related
- Published
- 2019-05-23T14:29:07.453Z
- Modified
- 2026-04-11T18:43:58.097975Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
- References
-
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00066.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00001.html
- http://www.openwall.com/lists/oss-security/2019/08/21/1
- https://usn.ubuntu.com/4048-1/
- http://www.securityfocus.com/bid/108507
- https://access.redhat.com/errata/RHSA-2019:1910
- https://access.redhat.com/security/cve/cve-2018-15664
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-15664
- https://bugzilla.suse.com/show_bug.cgi?id=1096726
- https://github.com/moby/moby/pull/39252
- http://www.openwall.com/lists/oss-security/2019/05/28/1
Affected packages
Git / github.com/moby/moby
Affected ranges
- Type
- GIT
- Repo
- https://github.com/moby/moby
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affected
- Database specific
{ "cpe": [ "cpe:2.3:a:docker:docker:17.06.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.0-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.0-ce:rc3:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.0-ce:rc4:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.0-ce:rc5:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.1-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.1-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.1-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.1-ce:rc3:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.1-ce:rc4:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.2-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.06.2-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.07.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.07.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.07.0-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.07.0-ce:rc3:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.07.0-ce:rc4:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.09.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.09.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.09.0-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.09.0-ce:rc3:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.09.1-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.09.1-ce-:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.10.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.10.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.10.0-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.11.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.11.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.11.0-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.11.0-ce:rc3:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.11.0-ce:rc4:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.12.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.12.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.12.0-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.12.0-ce:rc3:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.12.0-ce:rc4:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.12.1-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.12.1-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:17.12.1-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.01.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.01.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.02.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.02.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.02.0-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.03.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.03.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.03.0-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.03.0-ce:rc3:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.03.0-ce:rc4:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.03.1-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.03.1-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.03.1-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.04.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.04.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.04.0-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.05.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.05.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.06.0-ce:*:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.06.0-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.06.0-ce:rc2:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.06.0-ce:rc3:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.06.1-ce:rc1:*:*:community:*:*:*", "cpe:2.3:a:docker:docker:18.06.1-ce:rc2:*:*:community:*:*:*" ], "source": "CPE_FIELD", "extracted_events": [ { "introduced": "0" }, { "last_affected": "17.06.0-ce" }, { "last_affected": "17.06.0-ce-rc1" }, { "last_affected": "17.06.0-ce-rc2" }, { "last_affected": "17.06.0-ce-rc3" }, { "last_affected": "17.06.0-ce-rc4" }, { "last_affected": "17.06.0-ce-rc5" }, { "last_affected": "17.06.1-ce" }, { "last_affected": "17.06.1-ce-rc1" }, { "last_affected": "17.06.1-ce-rc2" }, { "last_affected": "17.06.1-ce-rc3" }, { "last_affected": "17.06.1-ce-rc4" }, { "last_affected": "17.06.2-ce" }, { "last_affected": "17.06.2-ce-rc1" }, { "last_affected": "17.07.0-ce" }, { "last_affected": "17.07.0-ce-rc1" }, { "last_affected": "17.07.0-ce-rc2" }, { "last_affected": "17.07.0-ce-rc3" }, { "last_affected": "17.07.0-ce-rc4" }, { "last_affected": "17.09.0-ce" }, { "last_affected": "17.09.0-ce-rc1" }, { "last_affected": "17.09.0-ce-rc2" }, { "last_affected": "17.09.0-ce-rc3" }, { "last_affected": "17.09.1-ce" }, { "last_affected": "17.09.1-ce--rc1" }, { "last_affected": "17.10.0-ce" }, { "last_affected": "17.10.0-ce-rc1" }, { "last_affected": "17.10.0-ce-rc2" }, { "last_affected": "17.11.0-ce" }, { "last_affected": "17.11.0-ce-rc1" }, { "last_affected": "17.11.0-ce-rc2" }, { "last_affected": "17.11.0-ce-rc3" }, { "last_affected": "17.11.0-ce-rc4" }, { "last_affected": "17.12.0-ce" }, { "last_affected": "17.12.0-ce-rc1" }, { "last_affected": "17.12.0-ce-rc2" }, { "last_affected": "17.12.0-ce-rc3" }, { "last_affected": "17.12.0-ce-rc4" }, { "last_affected": "17.12.1-ce" }, { "last_affected": "17.12.1-ce-rc1" }, { "last_affected": "17.12.1-ce-rc2" }, { "last_affected": "18.01.0-ce" }, { "last_affected": "18.01.0-ce-rc1" }, { "last_affected": "18.02.0-ce" }, { "last_affected": "18.02.0-ce-rc1" }, { "last_affected": "18.02.0-ce-rc2" }, { "last_affected": "18.03.0-ce" }, { "last_affected": "18.03.0-ce-rc1" }, { "last_affected": "18.03.0-ce-rc2" }, { "last_affected": "18.03.0-ce-rc3" }, { "last_affected": "18.03.0-ce-rc4" }, { "last_affected": "18.03.1-ce" }, { "last_affected": "18.03.1-ce-rc1" }, { "last_affected": "18.03.1-ce-rc2" }, { "last_affected": "18.04.0-ce" }, { "last_affected": "18.04.0-ce-rc1" }, { "last_affected": "18.04.0-ce-rc2" }, { "last_affected": "18.05.0-ce" }, { "last_affected": "18.05.0-ce-rc1" }, { "last_affected": "18.06.0-ce" }, { "last_affected": "18.06.0-ce-rc1" }, { "last_affected": "18.06.0-ce-rc2" }, { "last_affected": "18.06.0-ce-rc3" }, { "last_affected": "18.06.1-ce-rc1" }, { "last_affected": "18.06.1-ce-rc2" } ] }
Affected versions
0.*
0.0.3
docs-v1.*
docs-v1.12.0-rc4-2016-07-15
upstream/0.*
upstream/0.1.2
upstream/0.1.3
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.1
v0.3.2
v0.4.1
v0.4.2
v0.4.4
v0.4.5
v0.4.7
v0.5.0
v0.6.5
v0.7.0
v0.7.1
v0.7.2
v17.*
v17.06.0-ce
v17.06.0-ce-rc1
v17.06.0-ce-rc2
v17.06.0-ce-rc3
v17.06.0-ce-rc4
v17.06.0-ce-rc5
v17.06.1-ce
v17.06.1-ce-rc1
v17.06.1-ce-rc2
v17.06.1-ce-rc3
v17.06.1-ce-rc4
v17.06.2-ce
v17.06.2-ce-rc1
v17.07.0-ce
v17.07.0-ce-rc1
v17.07.0-ce-rc2
v17.07.0-ce-rc3
v17.07.0-ce-rc4
v17.09.0-ce
v17.09.0-ce-rc1
v17.09.0-ce-rc2
v17.09.0-ce-rc3
v17.09.1-ce
v17.09.1-ce-rc1
v17.10.0-ce
v17.10.0-ce-rc1
v17.10.0-ce-rc2
v17.11.0-ce
v17.11.0-ce-rc1
v17.11.0-ce-rc2
v17.11.0-ce-rc3
v17.11.0-ce-rc4
v17.12.0-ce
v17.12.0-ce-rc1
v17.12.0-ce-rc2
v17.12.0-ce-rc3
v17.12.0-ce-rc4
v17.12.1-ce
v17.12.1-ce-rc1
v17.12.1-ce-rc2
v18.*
v18.01.0-ce
v18.01.0-ce-rc1
v18.02.0-ce
v18.02.0-ce-rc1
v18.02.0-ce-rc2
v18.03.0-ce
v18.03.0-ce-rc1
v18.03.0-ce-rc2
v18.03.0-ce-rc3
v18.03.0-ce-rc4
v18.03.1-ce
v18.03.1-ce-rc1
v18.03.1-ce-rc2
v18.04.0-ce
v18.04.0-ce-rc1
v18.04.0-ce-rc2
v18.05.0-ce
v18.05.0-ce-rc1
v18.06.0-ce
v18.06.0-ce-rc1
v18.06.0-ce-rc2
v18.06.0-ce-rc3
v18.06.1-ce-rc1
v18.06.1-ce-rc2