CVE-2017-16539
MEDIUM5.9EPSS 0.44%Docker Moby /proc/scsi Path Exposure Allows Host Data Loss (SCSI MICDROP)
Published: 5/17/2022Modified: 4/28/2026
Also known as:DEBIAN-CVE-2017-16539
Description
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
Affected packages (2)
- Debian/docker.iofrom 0, < 1.13.1~ds3-1
- Go/github.com/moby/mobyfrom 0, < 17.12.0-ce
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-16539
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-16539
- PATCHhttps://github.com/moby/moby
- WEBhttps://github.com/moby/moby/commit/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
- WEBhttps://github.com/moby/moby/pull/35399
- WEBhttps://marc.info/?l=linux-scsi&m=150985062200941&w=2
- WEBhttps://marc.info/?l=linux-scsi&m=150985455801444&w=2
- WEBhttps://twitter.com/ewindisch/status/926443521820774401