CVE-2018-10892 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2018-10892

CVE-2018-10892

July 06, 2018

The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.

Related Resources (9)

https://github.com/moby/moby/pull/37404

https://access.redhat.com/errata/RHSA-2018:2729

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html

https://access.redhat.com/security/cve/CVE-2018-10892

https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10892

https://access.redhat.com/errata/RHSA-2018:2482

https://access.redhat.com/errata/RHBA-2018:2796

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10892

https://security-tracker.debian.org/tracker/CVE-2018-10892

Do you need more information?

CVSS v4

Base Score:

4.8

Attack Vector

LOCAL

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

LOW

CVSS v3

Base Score:

6.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

CVSS v2

Base Score:

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

Weakness Type (CWE)

Execution with Unnecessary Privileges

CWE-250

EPSS

Base Score:

0.19

Products

Solutions

Resources

Company

Compare

Developer Tools