Docker image code execution with Apache Mesos
High severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Jan 30, 2023
Package
Affected versions
< 1.4.3
>= 1.5.0, < 1.5.3
>= 1.6.0, < 1.6.2
>= 1.7.0, < 1.7.2
Patched versions
1.4.3
1.5.3
1.6.2
1.7.2
Description
Published by the National Vulnerability Database
Mar 25, 2019
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Nov 1, 2022
Last updated
Jan 30, 2023
A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.
References