Fluid Attacks Database

Description

Information Exposure in Docker Engine Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	docker.io	>=0 <1.6.1+dfsg1-1	1.6.1+dfsg1-1
go	github.com/docker/docker	>=1.6.0 <1.6.1	1.6.1
go	github.com/moby/moby	>=1.6.0 <1.6.1	1.6.1
debian 11	docker.io	>=0 <1.6.1+dfsg1-1	1.6.1+dfsg1-1
debian 12	docker.io	>=0 <1.6.1+dfsg1-1	1.6.1+dfsg1-1
debian 14	docker.io	>=0 <1.6.1+dfsg1-1	1.6.1+dfsg1-1

Aliases

1. CVE-2015-36302. NVD-2015-36303. NVD-2015-36304. OSV-DEBIAN-2015-36305. OSV-2015-36306. GHSA-8fvr-5rqf-3wwh7. GCVE-2015-36308. SECURITY-TRACKER-CVE-2015-3630

References

1. https://github.com/moby/moby/commit/545b440a80f676a506e5837678dd4c4f65e786602. https://groups.google.com/forum/#!searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ3. https://groups.google.com/forum/#%21searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ4. https://lists.opensuse.org/opensuse-updates/2015-05/msg00023.html5. https://packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.html6. https://seclists.org/fulldisclosure/2015/May/287. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-36308. https://www.securityfocus.com/bid/74566