CVE-2019-14271

Aliases:GHSA-v2cv-wwxq-qq97GO-2024-2521
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 29 Jul 2019, 17:05
Last modified:05 Aug 2024, 00:12

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
71.92% CRITICAL
72% probability -0.28%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

29 Jul 2019, 17:05
Published
Vulnerability first disclosed
05 Aug 2024, 00:12
Last Modified
Vulnerability information updated

Description

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

CVSS Metrics

  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • v2.0HIGHScore: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 71.92% Percentile: 99%

Techniques & Countermeasures

  • CWE-665Improper Initialization

    The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Affected Systems

  • debiandebian_linux

    10.0

  • dockerdocker

    ≥ 19.03, < 19.03.1

  • github.com/dockerdocker

    ≥ 19.03.0, < 19.03.1 | < 20.10.0-beta1+incompatible

  • github.com/mobymoby

    < 20.10.0-beta1+incompatible

  • opensuseleap

    15.0 | 15.1

References (14)