VYPR
Critical severityNVD Advisory· Published Jul 23, 2025· Updated Apr 15, 2026

CVE-2017-20198

CVE-2017-20198

Description

The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount configurations, attackers can deploy a container that mounts the host's root filesystem (/) with read/write privileges. When using a malicious Docker image, the attacker can write to /etc/cron.d/ on the host, achieving arbitrary code execution with root privileges. This impacts any system where the Docker daemon honors Marathon container configurations without policy enforcement.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Dcos/Marathoninferred2 versions
    < 1.9.0+ 1 more
    • (no CPE)range: < 1.9.0
    • (no CPE)range: <1.9.0
  • DC/OS/DC/OSllm-create
    Range: <1.9.0

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.