GHSA-vfjc-2qcw-j95j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vfjc-2qcw-j95j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vfjc-2qcw-j95j/GHSA-vfjc-2qcw-j95j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vfjc-2qcw-j95j
- Aliases
- Published
- 2022-05-17T00:21:35Z
- Modified
- 2026-02-03T03:03:49.377697Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Docker Moby /proc/scsi Path Exposure Allows Host Data Loss (SCSI MICDROP)
- Details
-
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
- Database specific
{ "nvd_published_at": "2017-11-04T17:29:00Z", "cwe_ids": [ "CWE-200" ], "github_reviewed_at": "2026-01-29T15:12:02Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-16539
- https://github.com/moby/moby/pull/35399
- https://github.com/moby/moby/commit/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
- https://github.com/moby/moby
- https://marc.info/?l=linux-scsi&m=150985062200941&w=2
- https://marc.info/?l=linux-scsi&m=150985455801444&w=2
- https://twitter.com/ewindisch/status/926443521820774401
Affected packages
Go / github.com/moby/moby
Package
- Name
- github.com/moby/moby
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/moby/moby