Path Traversal in Moby builder · CVE-2020-27534 · GitHub Advisory Database · GitHub

Path Traversal in Moby builder

Moderate severity GitHub Reviewed Published Jan 31, 2024 to the GitHub Advisory Database • Updated Apr 22, 2024

Package

github.com/docker/docker (Go)

Affected versions

< 19.03.9

Patched versions

19.03.9

github.com/moby/moby (Go)

< 19.03.9

19.03.9

Description

util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.

References

Published to the GitHub Advisory Database Jan 31, 2024

Reviewed Jan 31, 2024

Last updated Apr 22, 2024

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N