Skip to content

Information Exposure in Docker Engine

High severity GitHub Reviewed Published Feb 15, 2022 to the GitHub Advisory Database • Updated Jul 8, 2024

Package

gomod github.com/docker/docker (Go)

Affected versions

>= 1.6.0, < 1.6.1

Patched versions

1.6.1

Description

Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.

References

Reviewed May 19, 2021
Published to the GitHub Advisory Database Feb 15, 2022
Last updated Jul 8, 2024

Severity

High
8.4
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2015-3630

GHSA ID

GHSA-8fvr-5rqf-3wwh

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.