MicrosoftMS:CVE-2018-15664Docker Elevation of Privilege Vulnerability
7.5 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
6.2 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
29.0%
Summary
CVE-2018-15664 describes a vulnerability in the Docker runtime (and the underlying community project, Moby) wherein a malicious/compromised container can acquire full read/write access to the host operating system where that container is running. The vulnerability depends on the way that the Docker runtime handles symbolic links and is most directly exploitable through the Docker copy API (βdocker cpβ in the Docker CLI).
What is the risk for Azure Kubernetes Service (AKS) and Azure IoT Edge customers?
The risk for AKS and Azure IoT Edge customers is minimal as the following need to be true:
- A container on the host must be compromised.
- The attacker must have access to the host machine, as the docker API is not exposed by default from outside of the host.
Related
7.5 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
6.2 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:H/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
29.0%