Your submission was sent successfully! Close

CVE-2016-3697

Published: 1 June 2016

libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
docker.io
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist
(trusty was not-affected)
upstream Needs triage

wily Ignored
(reached end-of-life)
xenial Not vulnerable

yakkety Ignored
(reached end-of-life)
zesty Not vulnerable

runc
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist

upstream
Released (0.1.0+dfsg-1)
wily Does not exist

xenial Not vulnerable
(1.0.0~rc2+docker1.12.6-0ubuntu1~16.04.1)
yakkety Ignored
(reached end-of-life)
zesty
Released (1.0.0~rc2+docker1.12.6-0ubuntu1)