Medium severity5.9NVD Advisory· Published Nov 4, 2017· Updated May 13, 2026
CVE-2017-16539
CVE-2017-16539
Description
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/moby/mobyGo | < 17.12.0-ce | 17.12.0-ce |
Affected products
1Patches
1a21ecdf3c8a3Add /proc/scsi to masked paths
1 file changed · +1 −0
oci/defaults.go+1 −0 modified@@ -119,6 +119,7 @@ func DefaultLinuxSpec() specs.Spec { "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", + "/proc/scsi", }, ReadonlyPaths: []string{ "/proc/asound",
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/moby/moby/pull/35399nvdIssue TrackingPatchThird Party AdvisoryWEB
- github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1nvdIssue TrackingPatchThird Party Advisory
- marc.infonvdIssue TrackingPatchThird Party AdvisoryWEB
- marc.infonvdIssue TrackingPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-vfjc-2qcw-j95jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16539ghsaADVISORY
- twitter.com/ewindisch/status/926443521820774401nvdThird Party AdvisoryWEB
- github.com/moby/moby/commit/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1ghsaWEB
News mentions
0No linked articles in our index yet.