CVE-2014-6407
The MITRE CVE dictionary describes this issue as:
Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.
Find out more about CVE-2014-6407 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the versions of Docker as shipped with Red Hat Enterprise Linux 7. However, this flaw is not known to be exploitable under any supported scenario. A future update may address this issue.
Red Hat does not support or recommend running untrusted images.
CVSS v2 metrics
| Base Score | 3.7 |
|---|---|
| Base Metrics | AV:L/AC:H/Au:M/C:N/I:C/A:N |
| Access Vector | Local |
| Access Complexity | High |
| Authentication | Multiple |
| Confidentiality Impact | None |
| Integrity Impact | Complete |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 Extras (docker) | RHBA-2014:1977 | 2014-12-10 |
Acknowledgements
Red Hat would like to thank the Docker project for reporting these issues. Upstream acknowledges Florian Weimer of Red Hat Product Security and independent researcher Tõnis Tiigi as the original reporters.CVE description copyright © 2017, The MITRE Corporation