CVE-2018-9862

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-9862

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9862.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-9862

Published

2018-04-09T16:29:00.273Z

Modified

2025-11-20T10:53:28.178662Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

util.c in runV 1.0.0 for Docker mishandles a numeric username, which allows attackers to obtain root access by leveraging the presence of an initial numeric value on an /etc/passwd line, and then issuing a "docker exec" command with that value in the -u argument, a similar issue to CVE-2016-3697.

References

Affected packages

Git / github.com/hyperhq/runv

Affected ranges

Type: GIT
Repo: https://github.com/hyperhq/runv
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

cc051a6f77fb678ca3c1609e8c1519bbfd858e60

Affected versions

v0.*

v0.4.0

v0.5.0

v0.6.0

v0.6.2

v0.7.0

v0.8.0

v0.8.1

v1.*

v1.0.0

v1.0.0-rc1

v1.0.0-rc2

v1.0.0-rc3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9862.json"