CVE-2018-15664

Publication date 23 May 2019

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
docker.io	19.04 disco	Fixed 18.09.7-0ubuntu1~19.04.4
	18.10 cosmic	Fixed 18.09.7-0ubuntu1~18.10.3
	18.04 LTS bionic	Fixed 18.09.7-0ubuntu1~18.04.3
	16.04 LTS xenial	Fixed 18.09.7-0ubuntu1~16.04.4
	14.04 LTS trusty	Not in release

Notes

mdeslaur

initial commits caused a regression which then got fixed, see upstream bug

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
docker.io	Upstream: d089b63 Upstream: 3029e76 Upstream: fb5fe24 Other: https://github.com/moby/moby/pull/39292

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Local
Attack complexity	High
Privileges required	Low
User interaction	Required
Scope	Changed
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-4048-1
Docker vulnerabilities
8 July 2019