Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2017-16539 #2199

Closed
tatianab opened this issue Nov 8, 2023 · 1 comment
Labels
excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process

Comments

@tatianab
Copy link
Contributor

tatianab commented Nov 8, 2023

CVE-2017-16539 references github.com/moby/moby, which may be a Go module.

Description:
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/moby/moby
      vulnerable_at: 24.0.7+incompatible
      packages:
        - package: n/a
cves:
    - CVE-2017-16539
references:
    - web: https://marc.info/?l=linux-scsi&m=150985455801444&w=2
    - fix: https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
    - web: https://marc.info/?l=linux-scsi&m=150985062200941&w=2
    - fix: https://github.com/moby/moby/pull/35399
    - web: https://twitter.com/ewindisch/status/926443521820774401

@tatianab tatianab added the excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process label Nov 8, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process
Projects
None yet
Development

No branches or pull requests

2 participants