CVE-2017-16539
Aliases:GHSA-vfjc-2qcw-j95j
Advisory lineage Upstream: 0 Downstream: 8
Modified
Published: 04 Nov 2017, 17:00
Last modified:27 Jan 2026, 20:39
Vulnerability Summary
Overall Risk (default)
low
24/100 CVSS Score
5.9 MEDIUM
v3.1 (cve.org)
EPSS Score
0.44% LOW
0% probability -0.33%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
04 Nov 2017, 17:00
Published
Vulnerability first disclosed
27 Jan 2026, 20:39
Last Modified
Vulnerability information updated
Description
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- v3.0•MEDIUM•Score: 5.9CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 0.44%• Percentile: 64%
Techniques & Countermeasures
- CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Affected Systems
- github.com/moby•moby
< 17.12.0-ce
- mobyproject•moby
≤ 17.03.2
References (8)
- https://marc.info/?l=linux-scsi&m=150985455801444&w=2
- https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
- https://marc.info/?l=linux-scsi&m=150985062200941&w=2
- https://github.com/moby/moby/pull/35399
- https://twitter.com/ewindisch/status/926443521820774401
- https://nvd.nist.gov/vuln/detail/CVE-2017-16539
- https://github.com/moby/moby/commit/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
- https://github.com/moby/moby