suse · CVE-2018-15664

Quick triage

Priority: medium Published: 2021-05-30 14:15:58 UTC Updated: 2026-04-17 15:19:10 UTC

View at Official suse advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2018-15664 severity moderate: SUSE including 332 source package names (1.37.1.8.5.1:libcontainers-common-20190401-3.3.5, 2.0.2-4.2.20:fuse-overlayfs-0.4.1-3.3.8, …), 712 product×package rows across 301 product lines (Container rancher/elemental-teal-rt/5.4, Container rancher/elemental-teal/5.4, … (301 product lines)): Fixed 555, Known Affected 157.

Description:

In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).

cvelogic Threat Intelligence