Moderate severityNVD Advisory· Published May 18, 2015· Updated May 6, 2026
CVE-2015-3627
CVE-2015-3627
Description
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/docker/dockerGo | < 1.6.1 | 1.6.1 |
Affected products
2Patches
1d5ebb60bddbaAllow libcontainer to eval symlink destination
2 files changed · +19 −8
daemon/execdriver/native/create.go+1 −8 modified@@ -6,12 +6,10 @@ import ( "errors" "fmt" "net" - "path/filepath" "strings" "syscall" "github.com/docker/docker/daemon/execdriver" - "github.com/docker/docker/pkg/symlink" "github.com/docker/libcontainer/apparmor" "github.com/docker/libcontainer/configs" "github.com/docker/libcontainer/devices" @@ -228,21 +226,16 @@ func (d *driver) setupMounts(container *configs.Config, c *execdriver.Command) e container.Mounts = defaultMounts for _, m := range c.Mounts { - dest, err := symlink.FollowSymlinkInScope(filepath.Join(c.Rootfs, m.Destination), c.Rootfs) - if err != nil { - return err - } flags := syscall.MS_BIND | syscall.MS_REC if !m.Writable { flags |= syscall.MS_RDONLY } if m.Slave { flags |= syscall.MS_SLAVE } - container.Mounts = append(container.Mounts, &configs.Mount{ Source: m.Source, - Destination: dest, + Destination: m.Destination, Device: "bind", Flags: flags, })
integration-cli/docker_cli_run_test.go+18 −0 modified@@ -3487,3 +3487,21 @@ func TestRunReadProcLatency(t *testing.T) { } logDone("run - read /proc/latency_stats") } + +func TestMountIntoProc(t *testing.T) { + defer deleteAllContainers() + code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/proc//sys", "busybox", "true")) + if err == nil || code == 0 { + t.Fatal("container should not be able to mount into /proc") + } + logDone("run - mount into proc") +} + +func TestMountIntoSys(t *testing.T) { + defer deleteAllContainers() + code, err := runCommand(exec.Command(dockerBinary, "run", "-v", "/sys/", "busybox", "true")) + if err == nil || code == 0 { + t.Fatal("container should not be able to mount into /sys") + } + logDone("run - mount into sys") +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-g7v2-2qxx-wjrwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-3627ghsaADVISORY
- github.com/docker/docker/commit/d5ebb60bddbabea0439213501f4f6ed494b23cbaghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/nvdWEB
- lists.opensuse.org/opensuse-updates/2015-05/msg00023.htmlghsaWEB
- packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.htmlghsaWEB
- seclists.org/fulldisclosure/2015/May/28ghsaWEB
- lists.opensuse.org/opensuse-updates/2015-05/msg00023.htmlnvd
- packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.htmlnvd
- seclists.org/fulldisclosure/2015/May/28nvd
News mentions
0No linked articles in our index yet.