CVE-2017-16539
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
04/11/2017
Last modified:
27/01/2026
Description
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:* | 17.03.2 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/moby/moby/pull/35399
- https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
- https://marc.info/?l=linux-scsi&m=150985062200941&w=2
- https://marc.info/?l=linux-scsi&m=150985455801444&w=2
- https://twitter.com/ewindisch/status/926443521820774401
- https://github.com/moby/moby/pull/35399
- https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
- https://marc.info/?l=linux-scsi&m=150985062200941&w=2
- https://marc.info/?l=linux-scsi&m=150985455801444&w=2
- https://twitter.com/ewindisch/status/926443521820774401