View at Official suse advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2018-15664 severity moderate: SUSE including 332 source package names (1.37.1.8.5.1:libcontainers-common-20190401-3.3.5, 2.0.2-4.2.20:fuse-overlayfs-0.4.1-3.3.8, …), 712 product×package rows across 301 product lines (Container rancher/elemental-teal-rt/5.4, Container rancher/elemental-teal/5.4, … (301 product lines)): Fixed 555, Known Affected 157.
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).