CVE-2017-16539

MEDIUM5.9EPSS 0.44%

Docker Moby /proc/scsi Path Exposure Allows Host Data Loss (SCSI MICDROP)

發布日:2022/5/17修改日:2026/4/28

也稱為:DEBIAN-CVE-2017-16539

描述

The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

受影響套件(2)

Debian/docker.iofrom 0, < 1.13.1~ds3-1
Go/github.com/moby/mobyfrom 0, < 17.12.0-ce

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

參考連結(8)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-16539
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-16539
PATCHhttps://github.com/moby/moby
WEBhttps://github.com/moby/moby/commit/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
WEBhttps://github.com/moby/moby/pull/35399
WEBhttps://marc.info/?l=linux-scsi&m=150985062200941&w=2
WEBhttps://marc.info/?l=linux-scsi&m=150985455801444&w=2
WEBhttps://twitter.com/ewindisch/status/926443521820774401