Published: 16/12/2014 Updated: 07/11/2023

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

VMScore: 890

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Docker 1.3.2 allows remote malicious users to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.

Vulnerable Product	Search on Vulmon	Subscribe to Product
docker docker 1.3.2

Debian Bug report logs - #772909 dockerio: CVE-2014-9356 CVE-2014-9357 CVE-2014-9358 Package: src:dockerio; Maintainer for src:dockerio is Dmitry Smirnov <onlyjob@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 12 Dec 2014 05:45:02 UTC Severity: grave Tags: fixed-upstream, security, u ...

Path traversal attacks are possible in the processing of absolute symlinks In checking symlinks for traversals, only relative links were considered This allowed path traversals to exist where they should have otherwise been prevented This was exploitable via both archive extraction and through volume mounts This vulnerability allowed malicious ...

A flaw was found in the way the Docker service unpacked images or builds after a "docker pull" An attacker could use this flaw to provide a malicious image or build that, when unpacked, would escalate their privileges on the system ...

CWE-264 http://www.securityfocus.com/archive/1/534215/100/0/threaded https://groups.google.com/forum/#%21msg/docker-user/nFAz-B-n4Bw/0wr3wvLsnUwJ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772909 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-9357 https://alas.aws.amazon.com/ALAS-2014-461.html

CVE-2014-9357

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect