CVE-2015-3627
published 2015-05-18CVE-2015-3627: Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to…
PriorityP429high7.2CVSS 2.0
AVLACLAuNCCICAC
EPSS
0.61%
44.6th percentile
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | docker.io | < docker.io 1.6.1+dfsg1-1 (bookworm) | docker.io 1.6.1+dfsg1-1 (bookworm) |
| docker | docker | <= 1.6 | — |
| docker | libcontainer | <= 1.6.0 | — |
| github.com | docker_docker | >= 0 < 1.6.1 | 1.6.1 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| xmlsoft | libxml2 | >= 0 < 2.9.1+dfsg1-3ubuntu4.8 | 2.9.1+dfsg1-3ubuntu4.8 |
| xmlsoft | libxml2 | >= 0 < 2.9.3+dfsg1-1ubuntu0.1 | 2.9.3+dfsg1-1ubuntu0.1 |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.5HIGH
vendor_debian7.2HIGH
vendor_msrc7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
CVE-2015-3627: NIST NVD Details: https://nvd
vendor_msrc·2021-07-13·CVSS 7.2
CVE-2015-3627 [HIGH] CVE-2015-3627: NIST NVD Details: https://nvd
NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2015-3627
Mariner: Mariner
[email protected]: [email protected]
Exploit Status: DOS:N/A
Remediation: moby-buildx
Red Hat
docker: insecure opening of file-descriptor 1 leading to privilege escalation
vendor_redhat·2015-05-07·CVSS 7.2
CVE-2015-3627 [HIGH] CWE-22 docker: insecure opening of file-descriptor 1 leading to privilege escalation
docker: insecure opening of file-descriptor 1 leading to privilege escalation
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.
Debian
CVE-2015-3627: docker.io - Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to ...
vendor_debian·2015·CVSS 7.2
CVE-2015-3627 [HIGH] CVE-2015-3627: docker.io - Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to ...
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.
Scope: local
bookworm: resolved (fixed in 1.6.1+dfsg1-1)
bullseye: resolved (fixed in 1.6.1+dfsg1-1)
forky: resolved (fixed in 1.6.1+dfsg1-1)
sid: resolved (fixed in 1.6.1+dfsg1-1)
trixie: resolved (fixed in 1.6.1+dfsg1-1)
OSV
Symlink Attack in Libcontainer and Docker Engine in github.com/docker/docker
osv·2024-08-21
CVE-2015-3627 Symlink Attack in Libcontainer and Docker Engine in github.com/docker/docker
Symlink Attack in Libcontainer and Docker Engine in github.com/docker/docker
Symlink Attack in Libcontainer and Docker Engine in github.com/docker/docker
GHSA
Symlink Attack in Libcontainer and Docker Engine
ghsa·2022-02-15
CVE-2015-3627 [MEDIUM] CWE-59 Symlink Attack in Libcontainer and Docker Engine
Symlink Attack in Libcontainer and Docker Engine
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.
OSV
Symlink Attack in Libcontainer and Docker Engine
osv·2022-02-15
CVE-2015-3627 [MEDIUM] Symlink Attack in Libcontainer and Docker Engine
Symlink Attack in Libcontainer and Docker Engine
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.
OSV
libxml2 vulnerabilities
osv·2016-06-06·CVSS 7.5
CVE-2015-8806 libxml2 vulnerabilities
libxml2 vulnerabilities
It was discovered that libxml2 incorrectly handled certain malformed
documents. If a user or automated system were tricked into opening a
specially crafted document, an attacker could possibly cause libxml2 to
crash, resulting in a denial of service. (CVE-2015-8806, CVE-2016-2073,
CVE-2016-3627, CVE-2016-3705, CVE-2016-4447)
It was discovered that libxml2 incorrectly handled certain malformed
documents. If a user or automated system were tricked into opening a
specially crafted document, an attacker could cause libxml2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-1762, CVE-2016-1834)
Mateusz Jurczyk discovered that libxml2 incorrectly handled certain
malformed documents. If a user or automated system were tricked into
OSV
CVE-2015-3627: Libcontainer and Docker Engine before 1
osv·2015-05-18·CVSS 7.2
CVE-2015-3627 [HIGH] CVE-2015-3627: Libcontainer and Docker Engine before 1
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-3627 docker-io: docker: insecure opening of file-descriptor 1 leading to privilege escalation [epel-6]
bugzilla·2015-05-08·CVSS 7.2
CVE-2015-3627 [HIGH] CVE-2015-3627 docker-io: docker: insecure opening of file-descriptor 1 leading to privilege escalation [epel-6]
CVE-2015-3627 docker-io: docker: insecure opening of file-descriptor 1 leading to privilege escalation [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking b
Bugzilla
CVE-2015-3627 docker-io: docker: insecure opening of file-descriptor 1 leading to privilege escalation [fedora-all]
bugzilla·2015-05-08·CVSS 7.2
CVE-2015-3627 [HIGH] CVE-2015-3627 docker-io: docker: insecure opening of file-descriptor 1 leading to privilege escalation [fedora-all]
CVE-2015-3627 docker-io: docker: insecure opening of file-descriptor 1 leading to privilege escalation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue a
Bugzilla
CVE-2015-3627 docker: insecure opening of file-descriptor 1 leading to privilege escalation
bugzilla·2015-05-06·CVSS 7.2
CVE-2015-3627 [HIGH] CVE-2015-3627 docker: insecure opening of file-descriptor 1 leading to privilege escalation
CVE-2015-3627 docker: insecure opening of file-descriptor 1 leading to privilege escalation
The following flaw was reported in Docker:
The file-descriptor passed by libcontainer to the pid-1 process of a container has been found to be opened prior to performing the chroot, allowing insecure open and symlink traversal. This allows malicious container images to trigger a local privilege escalation.
Libcontainer and Docker Engine 1.6.1 address this vulnerability.
Acknowledgements:
Red Hat would like to thank Eric Windisch of the Docker project for reporting this issue.
Discussion:
This issue is exploitable by malicious Docker images. Red Hat supports images from it's own registry, ISV images certified by the Red Hat certification program, and images using qualified customer content.
-
http://lists.opensuse.org/opensuse-updates/2015-05/msg00023.htmlhttp://packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.htmlhttp://seclists.org/fulldisclosure/2015/May/28https://groups.google.com/forum/#%21searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJhttp://lists.opensuse.org/opensuse-updates/2015-05/msg00023.htmlhttp://packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.htmlhttp://seclists.org/fulldisclosure/2015/May/28https://groups.google.com/forum/#%21searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ
2015-05-18
Published