Fluid Attacks Database

Description

Moby Docker cp broken with debian containers In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/docker/docker	>=19.03.0 <19.03.1	19.03.1
go	github.com/moby/moby	>=0 <20.10.0-beta1	20.10.0-beta1
debian 12	docker.io	>=0 <18.09.1+dfsg1-9	18.09.1+dfsg1-9
debian 13	docker.io	>=0 <18.09.1+dfsg1-9	18.09.1+dfsg1-9
debian 11	docker.io	>=0 <18.09.1+dfsg1-9	18.09.1+dfsg1-9
debian 14	docker.io	>=0 <18.09.1+dfsg1-9	18.09.1+dfsg1-9

Aliases

1. CVE-2019-142712. NVD-2019-142713. OSV-2019-142714. OSV-DEBIAN-2019-142715. GHSA-v2cv-wwxq-qq976. GCVE-2019-142717. SECURITY-TRACKER-CVE-2019-14271

References

1. https://github.com/moby/moby/issues/394492. https://github.com/moby/moby/pull/396123. https://github.com/moby/moby/commit/11e48badcb67554b3d795241855028f28d2445454. https://github.com/moby/moby/commit/fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b5. https://docs.docker.com/engine/release-notes6. https://seclists.org/bugtraq/2019/Sep/217. https://security.netapp.com/advisory/ntap-20190828-00038. https://www.debian.org/security/2019/dsa-45219. http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html10. https://github.com/LouisLiuNova/CVE-2019-14271_Exploit11. https://docs.docker.com/engine/release-notes/12. https://security.netapp.com/advisory/ntap-20190828-0003/

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.