CVE-2018-15869

Description

An Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, may unintentionally load an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
awscli	25.10 questing	Needs evaluation
	25.04 plucky	Needs evaluation
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Not in release
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Not affected
	20.10 groovy	Not affected
	20.04 LTS focal	Not affected
	19.10 eoan	Not affected
	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected
packer	25.10 questing	Not in release
	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not affected
	22.10 kinetic	Ignored end of life, was needed
	22.04 LTS jammy	Vulnerable
	21.10 impish	Ignored end of life
	21.04 hirsute	Ignored end of life
	20.10 groovy	Ignored end of life
	20.04 LTS focal	Vulnerable
	19.10 eoan	Ignored end of life
	19.04 disco	Ignored end of life
	18.10 cosmic	Ignored end of life
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

Notes

msalvatore

This CVE may actually be against hashicorp/packer instead of awscli. Monitor https://github.com/hashicorp/packer/issues/6584 to see if this actually affects awscli.

redhat

Closing this bug as NOTABUG and asked MITRE for rejection, since the issue does not seem to be in AWS CLI but in Packer.

msalvatore

Amazon has addressed this: "The ability to query for images without specifying an owner is the intended design." "This seems to have been a gap in 3rd party software" Ignoring awscli package.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
awscli	Upstream: https://github.com/hashicorp/packer/pull/6585/commits/250da0ab49d9f4a15a024dcd550537c3f187ad8e Upstream: https://github.com/hashicorp/packer/pull/6585/commits/71cad4f2a91b67dd150264cc13f674035016e7fb Upstream: https://github.com/hashicorp/packer/pull/6585/commits/d57b599f3c83721750bc78ca58f862ffb840bf0a Upstream: https://github.com/hashicorp/packer/pull/6694/commits/d5ce18b857afe6e6850e10324a57f8427b961a65
packer	Upstream: https://github.com/hashicorp/packer/pull/6585/commits/250da0ab49d9f4a15a024dcd550537c3f187ad8e Upstream: https://github.com/hashicorp/packer/pull/6585/commits/71cad4f2a91b67dd150264cc13f674035016e7fb Upstream: https://github.com/hashicorp/packer/pull/6585/commits/d57b599f3c83721750bc78ca58f862ffb840bf0a Upstream: https://github.com/hashicorp/packer/pull/6694/commits/d5ce18b857afe6e6850e10324a57f8427b961a65

Package

Patch details

awscli

packer

Severity score breakdown

Parameter	Value
Base score	5.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE-2018-15869

Cvss 3 Severity Score

Description

Status

Notes

msalvatore

redhat

msalvatore

Patch details

Severity score breakdown

References

Other references