CVE-2014-6407

Summary

CVE	CVE-2014-6407
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2014-12-12 15:59:00 UTC
Updated	2014-12-15 19:36:00 UTC
Description	Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.

Risk And Classification

Problem Types: CWE-59

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Docker	Docker	1.0.0	All	All	All
Application	Docker	Docker	1.3.0	All	All	All
Application	Docker	Docker	1.0.0	All	All	All
Application	Docker	Docker	1.3.0	All	All	All
Application	Docker	Docker	All	All	All	All

References

Reference	Source	Link	Tags
Release Notes - Docker Documentation	CONFIRM	docs.docker.com	Vendor Advisory
Security Advisory SA60171 - Docker Security Bypass and Data Manipulation Security Issues - Secunia	SECUNIA	secunia.com
oss-security - Docker 1.3.2 - Security Advisory [24 Nov 2014]	MLIST	www.openwall.com
[security-announce] openSUSE-SU-2014:1596-1: important: Security update	SUSE	lists.opensuse.org
Security Advisory SA60241 - Oracle Linux update for docker - Secunia	SECUNIA	secunia.com
[SECURITY] Fedora 21 Update: docker-io-1.3.2-2.fc21	FEDORA	lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

900005 CBL-Mariner Linux Security Update for moby-buildx 0.4.1
903053 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-buildx (4411)