Lucene search

K
myhack58佚名MYHACK58:62201994377
HistoryMay 31, 2019 - 12:00 a.m.

Not to fix the vulnerabilities will affect all Docker versions-vulnerability warning-the black bar safety net

2019-05-3100:00:00
佚名
www.myhack58.com
217

7.5 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

6.2 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:H/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

28.5%

All versions of Docker are currently vulnerable to a“race condition”attacks, such attacks may allow an attacker to host any file on the system has read and write access permissions, the proof-of-concept code has been released. The vulnerability is similar to CVE-2018-15664, it is a hack to provide a window, you can specify the beginning of the program to a resource before the operation to modify the resource path, the home to the time of check TOCTOU type of error.

The vulnerability of the core from FollowSymlinkInScope function, which is vulnerable to TOCTOU attacks. The purpose of this function is obtained by the process as a Docker container Assembly to a secure way to parse the specified path. Explain the path of the operation is not immediately performed, it will“slightly delay after the finish.” An attacker can use this time difference to modify the path, the path will eventually with root privileges related to the operation of

7.5 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

6.2 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:H/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

28.5%