{
  "threat_severity" : "Moderate",
  "public_date" : "2019-05-23T00:00:00Z",
  "bugzilla" : {
    "description" : "docker: symlink-exchange race attacks in docker cp",
    "id" : "1714722",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1714722"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "(CWE-22|CWE-367)",
  "details" : [ "In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).", "A flaw was discovered in the API endpoint behind the 'docker cp' command. The endpoint is vulnerable to a Time Of Check to Time Of Use (TOCTOU) vulnerability in the way it handles symbolic links inside a container. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container." ],
  "statement" : "All versions of docker prior to the fix are vulnerable to this flaw.\nFor clarity, in the \"Affected Packages State\" table, we only include OpenShift Container Platform (OCP) versions 3.7 and below because for these versions docker was shipped as part of the release.  For all subsequent versions of OCP until 3.11, docker is installed from the RHEL Extras repository meaning clusters will be vulnerable to the flaw unless an updated docker package has been applied.\nRed Hat Fuse provides only the Docker client library and is not affected by this vulnerability.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7 Extras",
    "release_date" : "2019-07-29T00:00:00Z",
    "advisory" : "RHSA-2019:1910",
    "cpe" : "cpe:/a:redhat:rhel_extras_other:7",
    "package" : "docker-2:1.13.1-102.git7f2769b.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "docker",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.4",
    "fix_state" : "Out of support scope",
    "package_name" : "docker",
    "cpe" : "cpe:/a:redhat:openshift:3.4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.5",
    "fix_state" : "Out of support scope",
    "package_name" : "docker",
    "cpe" : "cpe:/a:redhat:openshift:3.5"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.6",
    "fix_state" : "Will not fix",
    "package_name" : "docker",
    "cpe" : "cpe:/a:redhat:openshift:3.6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.7",
    "fix_state" : "Will not fix",
    "package_name" : "docker",
    "cpe" : "cpe:/a:redhat:openshift:3.7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-15664\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-15664\nhttps://www.openwall.com/lists/oss-security/2019/05/28/1" ],
  "name" : "CVE-2018-15664",
  "mitigation" : {
    "value" : "Stopping a container prior to running \"docker cp\" removes the TOCTOU vulnerability.",
    "lang" : "en:us"
  },
  "csaw" : false
}