CVE-2018-15664

In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
Race Condition
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
LOCAL
HIGH
LOW
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Affected Products (NVD)
VendorProductVersion
dockerdocker
17.06.0-ce
dockerdocker
17.06.0-ce:rc1
dockerdocker
17.06.0-ce:rc2
dockerdocker
17.06.0-ce:rc3
dockerdocker
17.06.0-ce:rc4
dockerdocker
17.06.0-ce:rc5
dockerdocker
17.06.1-ce
dockerdocker
17.06.1-ce:rc1
dockerdocker
17.06.1-ce:rc2
dockerdocker
17.06.1-ce:rc3
dockerdocker
17.06.1-ce:rc4
dockerdocker
17.06.2-ce
dockerdocker
17.06.2-ce:rc1
dockerdocker
17.07.0-ce
dockerdocker
17.07.0-ce:rc1
dockerdocker
17.07.0-ce:rc2
dockerdocker
17.07.0-ce:rc3
dockerdocker
17.07.0-ce:rc4
dockerdocker
17.09.0-ce
dockerdocker
17.09.0-ce:rc1
dockerdocker
17.09.0-ce:rc2
dockerdocker
17.09.0-ce:rc3
dockerdocker
17.09.1-ce
dockerdocker
17.09.1-ce-:rc1
dockerdocker
17.10.0-ce
dockerdocker
17.10.0-ce:rc1
dockerdocker
17.10.0-ce:rc2
dockerdocker
17.11.0-ce
dockerdocker
17.11.0-ce:rc1
dockerdocker
17.11.0-ce:rc2
dockerdocker
17.11.0-ce:rc3
dockerdocker
17.11.0-ce:rc4
dockerdocker
17.12.0-ce
dockerdocker
17.12.0-ce:rc1
dockerdocker
17.12.0-ce:rc2
dockerdocker
17.12.0-ce:rc3
dockerdocker
17.12.0-ce:rc4
dockerdocker
17.12.1-ce
dockerdocker
17.12.1-ce:rc1
dockerdocker
17.12.1-ce:rc2
dockerdocker
18.01.0-ce
dockerdocker
18.01.0-ce:rc1
dockerdocker
18.02.0-ce
dockerdocker
18.02.0-ce:rc1
dockerdocker
18.02.0-ce:rc2
dockerdocker
18.03.0-ce
dockerdocker
18.03.0-ce:rc1
dockerdocker
18.03.0-ce:rc2
dockerdocker
18.03.0-ce:rc3
dockerdocker
18.03.0-ce:rc4
dockerdocker
18.03.1-ce
dockerdocker
18.03.1-ce:rc1
dockerdocker
18.03.1-ce:rc2
dockerdocker
18.04.0-ce
dockerdocker
18.04.0-ce:rc1
dockerdocker
18.04.0-ce:rc2
dockerdocker
18.05.0-ce
dockerdocker
18.05.0-ce:rc1
dockerdocker
18.06.0-ce
dockerdocker
18.06.0-ce:rc1
dockerdocker
18.06.0-ce:rc2
dockerdocker
18.06.0-ce:rc3
dockerdocker
18.06.1-ce:rc1
dockerdocker
18.06.1-ce:rc2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
docker.io
bookworm
20.10.24+dfsg1-1
fixed
bullseye
20.10.5+dfsg1-1+deb11u2
fixed
bullseye (security)
20.10.5+dfsg1-1+deb11u3
fixed
sid
26.1.5+dfsg1-4
fixed
trixie
26.1.5+dfsg1-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
docker.io
bionic
Fixed 18.09.7-0ubuntu1~18.04.3
released
cosmic
Fixed 18.09.7-0ubuntu1~18.10.3
released
disco
Fixed 18.09.7-0ubuntu1~19.04.4
released
trusty
dne
xenial
Fixed 18.09.7-0ubuntu1~16.04.4
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
fuse-overlayfs
suse enterprise sap 15 SP1
0.4.1-3.3.8
fixed
suse enterprise sap 15 SP2
0.4.1-3.3.8
fixed
suse enterprise sap 15 SP3
0.4.1-3.3.8
fixed
suse enterprise sap 15 SP4
0.4.1-3.3.8
fixed
suse enterprise sap 15 SP5
0.4.1-3.3.8
fixed
suse enterprise sap 15 SP6
0.4.1-3.3.8
fixed
suse enterprise sap 15 SP7
0.4.1-3.3.8
fixed
suse enterprise server 15 SP1
0.4.1-3.3.8
fixed
suse enterprise server 15 SP2
0.4.1-3.3.8
fixed
suse enterprise server 15 SP3
0.4.1-3.3.8
fixed
suse enterprise server 15 SP4
0.4.1-3.3.8
fixed
suse enterprise server 15 SP5
0.4.1-3.3.8
fixed
suse enterprise server 15 SP6
0.4.1-3.3.8
fixed
suse enterprise server 15 SP7
0.4.1-3.3.8
fixed
fuse3
suse enterprise desktop 15 SP2
3.6.1-3.3.8
fixed
suse enterprise desktop 15 SP3
3.6.1-3.3.8
fixed
suse enterprise sap 15 SP1
3.6.1-3.3.8
fixed
suse enterprise sap 15 SP2
3.6.1-3.3.8
fixed
suse enterprise sap 15 SP3
3.6.1-3.3.8
fixed
suse enterprise server 15 SP1
3.6.1-3.3.8
fixed
suse enterprise server 15 SP2
3.6.1-3.3.8
fixed
suse enterprise server 15 SP3
3.6.1-3.3.8
fixed
libcontainers-common-20190401
suse enterprise desktop 15 SP2
3.3.5
fixed
suse enterprise desktop 15 SP3
3.3.5
fixed
suse enterprise sap 15 SP2
3.3.5
fixed
suse enterprise sap 15 SP3
3.3.5
fixed
suse enterprise server 15 SP2
3.3.5
fixed
suse enterprise server 15 SP3
3.3.5
fixed
libcontainers-common-20240408
suse enterprise desktop 15 SP6
150600.1.1
fixed
suse enterprise desktop 15 SP7
150600.1.1
fixed
suse enterprise sap 15 SP6
150600.1.1
fixed
suse enterprise sap 15 SP7
150600.1.1
fixed
suse enterprise server 15 SP6
150600.1.1
fixed
suse enterprise server 15 SP7
150600.1.1
fixed
libcontainers-default-policy-20240408
suse enterprise desktop 15 SP6
150600.1.1
fixed
suse enterprise desktop 15 SP7
150600.1.1
fixed
suse enterprise sap 15 SP6
150600.1.1
fixed
suse enterprise sap 15 SP7
150600.1.1
fixed
suse enterprise server 15 SP6
150600.1.1
fixed
suse enterprise server 15 SP7
150600.1.1
fixed
libcontainers-sles-mounts-20240408
suse enterprise desktop 15 SP6
150600.1.1
fixed
suse enterprise desktop 15 SP7
150600.1.1
fixed
suse enterprise sap 15 SP6
150600.1.1
fixed
suse enterprise sap 15 SP7
150600.1.1
fixed
suse enterprise server 15 SP6
150600.1.1
fixed
suse enterprise server 15 SP7
150600.1.1
fixed
libfuse3-3
suse enterprise desktop 15 SP2
3.6.1-3.3.8
fixed
suse enterprise desktop 15 SP3
3.6.1-3.3.8
fixed
suse enterprise sap 15 SP1
3.6.1-3.3.8
fixed
suse enterprise sap 15 SP2
3.6.1-3.3.8
fixed
suse enterprise sap 15 SP3
3.6.1-3.3.8
fixed
suse enterprise server 15 SP1
3.6.1-3.3.8
fixed
suse enterprise server 15 SP2
3.6.1-3.3.8
fixed
suse enterprise server 15 SP3
3.6.1-3.3.8
fixed
podman
suse enterprise sap 15 SP1
1.4.4-4.8.1
fixed
suse enterprise sap 15 SP2
1.4.4-4.8.1
fixed
suse enterprise sap 15 SP3
1.4.4-4.8.1
fixed
suse enterprise server 15 SP1
1.4.4-4.8.1
fixed
suse enterprise server 15 SP2
1.4.4-4.8.1
fixed
suse enterprise server 15 SP3
1.4.4-4.8.1
fixed
podman-cni-config
suse enterprise sap 15 SP1
1.4.4-4.8.1
fixed
suse enterprise sap 15 SP2
1.4.4-4.8.1
fixed
suse enterprise sap 15 SP3
1.4.4-4.8.1
fixed
suse enterprise server 15 SP1
1.4.4-4.8.1
fixed
suse enterprise server 15 SP2
1.4.4-4.8.1
fixed
suse enterprise server 15 SP3
1.4.4-4.8.1
fixed
registries-conf-default-20240408
suse enterprise desktop 15 SP6
150600.1.1
fixed
suse enterprise desktop 15 SP7
150600.1.1
fixed
suse enterprise sap 15 SP6
150600.1.1
fixed
suse enterprise sap 15 SP7
150600.1.1
fixed
suse enterprise server 15 SP6
150600.1.1
fixed
suse enterprise server 15 SP7
150600.1.1
fixed
registries-conf-suse-20240408
suse enterprise desktop 15 SP6
150600.1.1
fixed
suse enterprise desktop 15 SP7
150600.1.1
fixed
suse enterprise sap 15 SP6
150600.1.1
fixed
suse enterprise sap 15 SP7
150600.1.1
fixed
suse enterprise server 15 SP6
150600.1.1
fixed
suse enterprise server 15 SP7
150600.1.1
fixed
slirp4netns
suse enterprise sap 15 SP1
0.3.0-3.3.3
fixed
suse enterprise sap 15 SP2
0.3.0-3.3.3
fixed
suse enterprise sap 15 SP3
0.3.0-3.3.3
fixed
suse enterprise sap 15 SP4
0.3.0-3.3.3
fixed
suse enterprise server 15 SP1
0.3.0-3.3.3
fixed
suse enterprise server 15 SP2
0.3.0-3.3.3
fixed
suse enterprise server 15 SP3
0.3.0-3.3.3
fixed
suse enterprise server 15 SP4
0.3.0-3.3.3
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00066.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00001.html
http://www.openwall.com/lists/oss-security/2019/05/28/1
http://www.openwall.com/lists/oss-security/2019/08/21/1
http://www.securityfocus.com/bid/108507
https://access.redhat.com/errata/RHSA-2019:1910
https://bugzilla.suse.com/show_bug.cgi?id=1096726
https://github.com/moby/moby/pull/39252
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-15664
https://usn.ubuntu.com/4048-1/
https://access.redhat.com/security/cve/cve-2018-15664
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00066.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00001.html
http://www.openwall.com/lists/oss-security/2019/05/28/1
http://www.openwall.com/lists/oss-security/2019/08/21/1
http://www.securityfocus.com/bid/108507
https://access.redhat.com/errata/RHSA-2019:1910
https://bugzilla.suse.com/show_bug.cgi?id=1096726
https://github.com/moby/moby/pull/39252
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-15664
https://usn.ubuntu.com/4048-1/