VDB
CVE-2017-16539
CVE-2017-16539
PUBLISHED
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
EPSS 0.44% · 63.8th percentile
Risk Scores
EPSS Score
0.44%
63.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | docker.io | *, 1.12.6-0ubuntu1~16.04.1, 1.13.1-0ubuntu1~16.04.2 |
| Ubuntu:18.04:LTS | docker.io | 17.03.2-0ubuntu1, 17.03.2-0ubuntu3, 17.03.2-0ubuntu5 |
Timeline
- Nov 4, 2017 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-16539 third-party-advisory
- https://twitter.com/ewindisch/status/926443521820774401 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-16539 third-party-advisory