CVE-2015-3630 — Improper Authorization in Docker Docker

CWE-264 CWE-285 — Improper Authorization12 documents8 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 70.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Docker Docker Docker

Timeline

PublishedMay 18

Latest updateAug 21

Description

Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages2 packages

▶Gogithub.com/docker_docker1.6.0 — 1.6.1

▶NVDdocker/docker1.6

🔴Vulnerability Details

OSV

Information Exposure in Docker Engine in github.com/docker/docker↗2024-08-21

▶

GHSA

Information Exposure in Docker Engine↗2022-02-15

▶

OSV

Information Exposure in Docker Engine↗2022-02-15

▶

CVEList

CVE-2015-3630: Docker Engine before 1↗2015-05-18

▶

OSV

CVE-2015-3630: Docker Engine before 1↗2015-05-18

▶

📋Vendor Advisories

Microsoft

CVE-2015-3630: NIST NVD Details: https://nvd↗2021-07-13

▶

Red Hat

docker: Read/write proc paths allow host modification & information disclosure↗2015-05-07

▶

Debian

CVE-2015-3630: docker.io - Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc...↗2015

▶

💬Community

Bugzilla

CVE-2015-3630 docker-io: docker: Read/write proc paths allow host modification & information disclosure [epel-6]↗2015-05-08

▶

Bugzilla

CVE-2015-3630 docker-io: docker: Read/write proc paths allow host modification & information disclosure [fedora-all]↗2015-05-08

▶

Bugzilla

CVE-2015-3630 docker: Read/write proc paths allow host modification & information disclosure↗2015-05-06

▶