CVE-2014-6407 — Link Following in Docker Docker

CWE-59 — Link Following13 documents8 sources

Severity

7.5HIGHNVD

EPSS

5.9%

top 9.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Docker Docker Docker

Timeline

PublishedDec 12

Latest updateAug 21

Description

Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶Gogithub.com/docker_docker< 1.3.2

▶NVDdocker/docker1.3.1+2

🔴Vulnerability Details

OSV

Arbitrary Code Execution in Docker in github.com/docker/docker↗2024-08-21

▶

OSV

Arbitrary Code Execution in Docker↗2022-02-15

▶

GHSA

Arbitrary Code Execution in Docker↗2022-02-15

▶

OSV

CVE-2014-6407: Docker before 1↗2014-12-12

▶

CVEList

CVE-2014-6407: Docker before 1↗2014-12-12

▶

📋Vendor Advisories

Microsoft

CVE-2014-6407: NIST NVD Details: https://nvd↗2021-07-13

▶

Red Hat

docker: directory traversal flaw in docker↗2017-10-16

▶

Red Hat

docker: symbolic and hardlink issues leading to privilege escalation↗2014-11-24

▶

Debian

CVE-2014-6407: docker.io - Docker before 1.3.2 allows remote attackers to write to arbitrary files and exec...↗2014

▶

💬Community

Bugzilla

CVE-2014-6408 CVE-2014-6407 docker-io: various flaws [epel-6]↗2014-11-25

▶

Bugzilla

CVE-2014-6408 CVE-2014-6407 docker-io: various flaws [fedora-all]↗2014-11-25

▶

Bugzilla

CVE-2014-6407 docker: symbolic and hardlink issues leading to privilege escalation↗2014-11-25

▶