CVE-2017-16539 — Sensitive Information Exposure in Moby Moby

CWE-200 — Sensitive Information Exposure CWE-20 — Improper Input Validation8 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

0.4%

top 36.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Moby Moby Mobyproject Moby

Timeline

PublishedNov 4

Latest updateMay 17

Description

The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶Gogithub.com/moby_moby< 17.12.0-ce

▶NVDmobyproject/moby17.03.2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: marc.info ↗

🔴Vulnerability Details

GHSA

Docker Moby /proc/scsi Path Exposure Allows Host Data Loss (SCSI MICDROP)↗2022-05-17

▶

OSV

Docker Moby /proc/scsi Path Exposure Allows Host Data Loss (SCSI MICDROP)↗2022-05-17

▶

OSV

CVE-2017-16539: The DefaultLinuxSpec function in oci/defaults↗2017-11-04

▶

CVEList

CVE-2017-16539: The DefaultLinuxSpec function in oci/defaults↗2017-11-04

▶

📋Vendor Advisories

Red Hat

docker: The DefaultLinuxSpec function does not block /proc/scsi pathnames↗2017-11-03

▶

Debian

CVE-2017-16539: docker.io - The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-...↗2017

▶

💬Community

Bugzilla

CVE-2017-16539 docker: The DefaultLinuxSpec function does not block /proc/scsi pathnames↗2017-11-22

▶