Fluid Attacks Database

Description

Arbitrary Code Execution in Docker Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/docker/docker	>=0 <1.3.2	1.3.2
debian 13	docker.io	>=0 <1.3.2~dfsg1-1	1.3.2~dfsg1-1
debian 14	docker.io	>=0 <1.3.2~dfsg1-1	1.3.2~dfsg1-1
debian 11	docker.io	>=0 <1.3.2~dfsg1-1	1.3.2~dfsg1-1
debian 12	docker.io	>=0 <1.3.2~dfsg1-1	1.3.2~dfsg1-1

Aliases

1. CVE-2014-64072. NVD-2014-64073. OSV-2014-64074. OSV-DEBIAN-2014-64075. GCVE-2014-64076. SECURITY-TRACKER-CVE-2014-6407

References

1. https://github.com/docker/docker/commit/3ac6394b8082d4700483d52fbfe54914be537d9e2. https://docs.docker.com/v1.3/release-notes3. https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145154.html4. https://lists.opensuse.org/opensuse-security-announce/2014-12/msg00009.html5. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-64076. https://www.openwall.com/lists/oss-security/2014/11/24/5