CVE-2015-3630: Information Exposure
(updated )
Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.
References
- github.com/advisories/GHSA-8fvr-5rqf-3wwh
- github.com/moby/moby/commit/545b440a80f676a506e5837678dd4c4f65e78660
- groups.google.com/forum/
- groups.google.com/forum/
- lists.opensuse.org/opensuse-updates/2015-05/msg00023.html
- nvd.nist.gov/vuln/detail/CVE-2015-3630
- packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.html
- seclists.org/fulldisclosure/2015/May/28
- web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3630
- www.securityfocus.com/bid/74566
Code Behaviors & Features
Detect and mitigate CVE-2015-3630 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →