{"id":"CVE-2018-15664","details":"In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).","modified":"2026-04-10T04:06:17.786475Z","published":"2019-05-23T14:29:07.453Z","related":["SUSE-SU-2019:1514-1","SUSE-SU-2019:1562-1","SUSE-SU-2019:2223-1","SUSE-SU-2025:03540-1","SUSE-SU-2025:03545-1","openSUSE-SU-2019:1621-1","openSUSE-SU-2019:2044-1","openSUSE-SU-2024:10722-1","openSUSE-SU-2024:10931-1","openSUSE-SU-2025:15589-1"],"references":[{"type":"WEB","url":"https://usn.ubuntu.com/4048-1/"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2019/08/21/1"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00066.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00001.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/108507"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1910"},{"type":"ADVISORY","url":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-15664"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/cve-2018-15664"},{"type":"REPORT","url":"https://github.com/moby/moby/pull/39252"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1096726"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2019/05/28/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/docker/docker","events":[{"introduced":"0"},{"last_affected":"9c5bb024df387b67bb07251265394b87c18014e4"},{"introduced":"0"},{"last_affected":"0aefd9b0f869ba8fbbc37e62122a5c10aea2bf4a"},{"introduced":"0"},{"last_affected":"631cf6dc8d68f4e8b9f972e12c7d2db1e9296a0a"},{"introduced":"0"},{"last_affected":"a67f442586e0cfcc212e6fe2aca5f0a27c36e52a"},{"introduced":"0"},{"last_affected":"a65742e314ad60fbbe7a0d824b690570f4479848"},{"introduced":"0"},{"last_affected":"cc547fdd4b5dcd0484251448fb835fc50a981eca"},{"introduced":"0"},{"last_affected":"9ae42ade4abd3cf2c57c475c2e800bb3a1a62158"},{"introduced":"0"},{"last_affected":"d27ffb2708a504f6caefad306dcdfb28a1300923"},{"introduced":"0"},{"last_affected":"acf06a5d60215654d680306103fc27df300f3bec"},{"introduced":"0"},{"last_affected":"02e0bfa75306b341a5602a91d68f35000687366d"},{"introduced":"0"},{"last_affected":"645ac4448c2537e1d42b0bb8ca29f313a2490f19"},{"introduced":"0"},{"last_affected":"5f70730d579a1c9d48a2d4259f57fb698960baf4"},{"introduced":"0"},{"last_affected":"587c4842ac4e77133999452db63f9d3826b5a477"},{"introduced":"0"},{"last_affected":"f50976f2fa8a4dba2cc74d9d1461d53eb6874350"},{"introduced":"0"},{"last_affected":"01019b4690d9240364f3370d05d9062f89cd4ae8"},{"introduced":"0"},{"last_affected":"b6d4a90f86703d350eeb62b0a607957b37ddb4c9"},{"introduced":"0"},{"last_affected":"07da379f6f16ba329459d08d5a95843450e531f9"},{"introduced":"0"},{"last_affected":"72d39dcf92bd3e9605318608f8e725f925c69add"},{"introduced":"0"},{"last_affected":"91437e70a02d6292a9e706378df34a67d5f7371e"},{"introduced":"0"},{"last_affected":"09f92710e6ad95d96b6469f3beaadfaa90d478aa"},{"introduced":"0"},{"last_affected":"95edf9a73785dda6b362a5bfb69f3e38d10cf842"},{"introduced":"0"},{"last_affected":"9192f71fd206a91522ea2e6d42ce11f1d7b35d11"},{"introduced":"0"},{"last_affected":"d8554bd58666303ff385d759118460e3a24dc0c7"},{"introduced":"0"},{"last_affected":"f3c7f4d6abdd8bb0d092a7cca370bcedad29e279"},{"introduced":"0"},{"last_affected":"17604f2b825ee8798311d75ceeb47581dce840c8"},{"introduced":"0"},{"last_affected":"9fd28d5568155316cbe8bc7ed307ef0587afff10"},{"introduced":"0"},{"last_affected":"2f346d598260b52f5a7cc64dbd3a6f4037e3c6df"},{"introduced":"0"},{"last_affected":"9975fcc14fbe72efc2bbf64c18370d70c51f28e3"},{"introduced":"0"},{"last_affected":"100ff0de2e53010fb1cf170fdca6a4e80524df5b"},{"introduced":"0"},{"last_affected":"80d78d37693f513b681ab821b8826cea8ea0e0c7"},{"introduced":"0"},{"last_affected":"b4da53f9cf06328b85c2fbb000ce81184e909fd1"},{"introduced":"0"},{"last_affected":"52f2b61d119ecc7f8301c527bc50ef317dfcaff3"},{"introduced":"0"},{"last_affected":"5acfe70329181e5b088217f0ec21b6ab50790e9b"},{"introduced":"0"},{"last_affected":"739c4cc6b2bab5c3e27656e0a95d858901ecf6b4"},{"introduced":"0"},{"last_affected":"31375e221696462ea74a54d95978114a8686d034"},{"introduced":"0"},{"last_affected":"de79f2888606f81257ffdb43c9c006e690b161de"},{"introduced":"0"},{"last_affected":"5acfe70329181e5b088217f0ec21b6ab50790e9b"},{"introduced":"0"},{"last_affected":"912cdd107ce6ac4efe7ad8be66de4eb3919f5746"},{"introduced":"0"},{"last_affected":"dcbf022df9871fee2c6cd027e220796ab912218d"},{"introduced":"0"},{"last_affected":"912cdd107ce6ac4efe7ad8be66de4eb3919f5746"},{"introduced":"0"},{"last_affected":"cf8e84c5280054f63d0cc0fcbd9c79f17031b075"},{"introduced":"0"},{"last_affected":"cf8e84c5280054f63d0cc0fcbd9c79f17031b075"},{"introduced":"0"},{"last_affected":"c674293e59bf66fd32d74e335acdb3c0de6f808c"},{"introduced":"0"},{"last_affected":"4328d87b912e3795b6afac4e6e24fbc247e6d55b"},{"introduced":"0"},{"last_affected":"c674293e59bf66fd32d74e335acdb3c0de6f808c"},{"introduced":"0"},{"last_affected":"56c18c6d94a50936fa4f339c24b415ba1e293195"},{"introduced":"0"},{"last_affected":"b61d45bb419eaa7060525610099a7cce51bf8e9d"},{"introduced":"0"},{"last_affected":"cc1977536312462696e8c762280bb55912f881be"},{"introduced":"0"},{"last_affected":"b8ae001c8f5af657df089338a34f20725757c9c6"},{"introduced":"0"},{"last_affected":"56c18c6d94a50936fa4f339c24b415ba1e293195"},{"introduced":"0"},{"last_affected":"20afdcca5bf4fc0a0352ca9ac0343a5b33433ea6"},{"introduced":"0"},{"last_affected":"b3b4787dfdbdda657fdcf77380a3c686ae1283c6"},{"introduced":"0"},{"last_affected":"013d32fbb49602e5ee8ad4ff6f71cb06807c3dc3"},{"introduced":"0"},{"last_affected":"63df8cf4b5d6473291eaf499107825c41af3b5e4"},{"introduced":"0"},{"last_affected":"82c44711cc59c150d09c87506a9bd648599ea0d6"},{"introduced":"0"},{"last_affected":"63df8cf4b5d6473291eaf499107825c41af3b5e4"},{"introduced":"0"},{"last_affected":"e1b9d60d0fffcc949eeb0fe1f7b79b67af363c82"},{"introduced":"0"},{"last_affected":"e1b9d60d0fffcc949eeb0fe1f7b79b67af363c82"},{"introduced":"0"},{"last_affected":"a3ef7e9a9bda939a73dc353aa8df8b0aa47c9466"},{"introduced":"0"},{"last_affected":"1436dc8f8d0f6f60b6e335fbd918d6b22ee6574d"},{"introduced":"0"},{"last_affected":"85b4dbd3db3761dc3e21f3361cf840eefc1e9fb3"},{"introduced":"0"},{"last_affected":"371b590ace0d4a329cd6a3328d31d33c4f77a780"},{"introduced":"0"},{"last_affected":"c4a6ecfcd59169ba820332a0fbbb208e0c19f648"},{"introduced":"0"},{"last_affected":"68a4625393ac66bb90cf8c9435b696c74d021b2e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"17.06.0-ce"},{"introduced":"0"},{"last_affected":"17.06.0-ce-rc1"},{"introduced":"0"},{"last_affected":"17.06.0-ce-rc2"},{"introduced":"0"},{"last_affected":"17.06.0-ce-rc3"},{"introduced":"0"},{"last_affected":"17.06.0-ce-rc4"},{"introduced":"0"},{"last_affected":"17.06.0-ce-rc5"},{"introduced":"0"},{"last_affected":"17.06.1-ce"},{"introduced":"0"},{"last_affected":"17.06.1-ce-rc1"},{"introduced":"0"},{"last_affected":"17.06.1-ce-rc2"},{"introduced":"0"},{"last_affected":"17.06.1-ce-rc3"},{"introduced":"0"},{"last_affected":"17.06.1-ce-rc4"},{"introduced":"0"},{"last_affected":"17.06.2-ce"},{"introduced":"0"},{"last_affected":"17.06.2-ce-rc1"},{"introduced":"0"},{"last_affected":"17.07.0-ce"},{"introduced":"0"},{"last_affected":"17.07.0-ce-rc1"},{"introduced":"0"},{"last_affected":"17.07.0-ce-rc2"},{"introduced":"0"},{"last_affected":"17.07.0-ce-rc3"},{"introduced":"0"},{"last_affected":"17.07.0-ce-rc4"},{"introduced":"0"},{"last_affected":"17.09.0-ce"},{"introduced":"0"},{"last_affected":"17.09.0-ce-rc1"},{"introduced":"0"},{"last_affected":"17.09.0-ce-rc2"},{"introduced":"0"},{"last_affected":"17.09.0-ce-rc3"},{"introduced":"0"},{"last_affected":"17.09.1-ce"},{"introduced":"0"},{"last_affected":"17.09.1-ce--rc1"},{"introduced":"0"},{"last_affected":"17.10.0-ce"},{"introduced":"0"},{"last_affected":"17.10.0-ce-rc1"},{"introduced":"0"},{"last_affected":"17.10.0-ce-rc2"},{"introduced":"0"},{"last_affected":"17.11.0-ce"},{"introduced":"0"},{"last_affected":"17.11.0-ce-rc1"},{"introduced":"0"},{"last_affected":"17.11.0-ce-rc2"},{"introduced":"0"},{"last_affected":"17.11.0-ce-rc3"},{"introduced":"0"},{"last_affected":"17.11.0-ce-rc4"},{"introduced":"0"},{"last_affected":"17.12.0-ce"},{"introduced":"0"},{"last_affected":"17.12.0-ce-rc1"},{"introduced":"0"},{"last_affected":"17.12.0-ce-rc2"},{"introduced":"0"},{"last_affected":"17.12.0-ce-rc3"},{"introduced":"0"},{"last_affected":"17.12.0-ce-rc4"},{"introduced":"0"},{"last_affected":"17.12.1-ce"},{"introduced":"0"},{"last_affected":"17.12.1-ce-rc1"},{"introduced":"0"},{"last_affected":"17.12.1-ce-rc2"},{"introduced":"0"},{"last_affected":"18.01.0-ce"},{"introduced":"0"},{"last_affected":"18.01.0-ce-rc1"},{"introduced":"0"},{"last_affected":"18.02.0-ce"},{"introduced":"0"},{"last_affected":"18.02.0-ce-rc1"},{"introduced":"0"},{"last_affected":"18.02.0-ce-rc2"},{"introduced":"0"},{"last_affected":"18.03.0-ce"},{"introduced":"0"},{"last_affected":"18.03.0-ce-rc1"},{"introduced":"0"},{"last_affected":"18.03.0-ce-rc2"},{"introduced":"0"},{"last_affected":"18.03.0-ce-rc3"},{"introduced":"0"},{"last_affected":"18.03.0-ce-rc4"},{"introduced":"0"},{"last_affected":"18.03.1-ce"},{"introduced":"0"},{"last_affected":"18.03.1-ce-rc1"},{"introduced":"0"},{"last_affected":"18.03.1-ce-rc2"},{"introduced":"0"},{"last_affected":"18.04.0-ce"},{"introduced":"0"},{"last_affected":"18.04.0-ce-rc1"},{"introduced":"0"},{"last_affected":"18.04.0-ce-rc2"},{"introduced":"0"},{"last_affected":"18.05.0-ce"},{"introduced":"0"},{"last_affected":"18.05.0-ce-rc1"},{"introduced":"0"},{"last_affected":"18.06.0-ce"},{"introduced":"0"},{"last_affected":"18.06.0-ce-rc1"},{"introduced":"0"},{"last_affected":"18.06.0-ce-rc2"},{"introduced":"0"},{"last_affected":"18.06.0-ce-rc3"},{"introduced":"0"},{"last_affected":"18.06.1-ce-rc1"},{"introduced":"0"},{"last_affected":"18.06.1-ce-rc2"}]}}],"versions":["0.0.3","docs-v1.12.0-rc4-2016-07-15","upstream/0.1.2","upstream/0.1.3","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.3.1","v0.3.2","v0.4.1","v0.4.2","v0.4.4","v0.4.5","v0.4.7","v0.5.0","v0.6.5","v0.7.0","v0.7.1","v0.7.2","v17.06.0-ce","v17.06.0-ce-rc1","v17.06.0-ce-rc2","v17.06.0-ce-rc3","v17.06.0-ce-rc4","v17.06.0-ce-rc5","v17.06.1-ce","v17.06.1-ce-rc1","v17.06.1-ce-rc2","v17.06.1-ce-rc3","v17.06.1-ce-rc4","v17.06.2-ce","v17.06.2-ce-rc1","v17.07.0-ce","v17.07.0-ce-rc1","v17.07.0-ce-rc2","v17.07.0-ce-rc3","v17.07.0-ce-rc4","v17.09.0-ce","v17.09.0-ce-rc1","v17.09.0-ce-rc2","v17.09.0-ce-rc3","v17.09.1-ce","v17.09.1-ce-rc1","v17.10.0-ce","v17.10.0-ce-rc1","v17.10.0-ce-rc2","v17.11.0-ce","v17.11.0-ce-rc1","v17.11.0-ce-rc2","v17.11.0-ce-rc3","v17.11.0-ce-rc4","v17.12.0-ce","v17.12.0-ce-rc1","v17.12.0-ce-rc2","v17.12.0-ce-rc3","v17.12.0-ce-rc4","v17.12.1-ce","v17.12.1-ce-rc1","v17.12.1-ce-rc2","v18.01.0-ce","v18.01.0-ce-rc1","v18.02.0-ce","v18.02.0-ce-rc1","v18.02.0-ce-rc2","v18.03.0-ce","v18.03.0-ce-rc1","v18.03.0-ce-rc2","v18.03.0-ce-rc3","v18.03.0-ce-rc4","v18.03.1-ce","v18.03.1-ce-rc1","v18.03.1-ce-rc2","v18.04.0-ce","v18.04.0-ce-rc1","v18.04.0-ce-rc2","v18.05.0-ce","v18.05.0-ce-rc1","v18.06.0-ce","v18.06.0-ce-rc1","v18.06.0-ce-rc2","v18.06.0-ce-rc3","v18.06.1-ce-rc1","v18.06.1-ce-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-15664.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"}]}