VYPR
← All advisories
Critical severityNVD Advisory· Published Jul 29, 2019· Updated Aug 5, 2024

CVE-2019-14271

CVE-2019-14271

Description

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Docker 19.03.x before 19.03.1 with glibc allows code injection when nsswitch loads a library inside a container's chroot during docker cp.

Root

Cause

Docker 19.03.x before 19.03.1, when linked against glibc, is vulnerable to code injection via the Name Service Switch (nsswitch) facility [1][2]. When a user runs docker cp, the host process executes inside a chroot containing the container's filesystem. During operation, nsswitch may dynamically load libraries (e.g., libnss_files.so) from the container's filesystem. If a malicious container replaces such a library with a crafted one, the host process will load and execute arbitrary code with host-level privileges [1][2].

Attack

Surface and Prerequisites

Exploitation requires a host running a vulnerable Docker version (19.03.x < 19.03.1) and glibc as the C library. The attacker must have the ability to place a malicious shared library at a path in the container's filesystem that nsswitch expects to load (e.g., replacing libnss_files.so) [2][4]. The attack is triggered when a user runs docker cp on a container that has been compromised to contain such a library [1][4]. No additional authentication is needed if the attacker can already control container contents (e.g., via a malicious image or compromised container).

Impact

Successful exploitation results in arbitrary code execution on the host with the privileges of the Docker daemon (typically root) [1][2]. This breaks container isolation and allows the attacker to fully compromise the host system, potentially leading to data exfiltration, lateral movement, or further attacks.

Mitigation

Docker fixed this vulnerability in version 19.03.1 [1]. Users should upgrade to 19.03.1 or later. No workaround is available; the only mitigation is to update Docker Engine. The issue is listed as a high-severity (CVSS score 8.7) vulnerability requiring urgent patching [2].

References
  1. Docker Engine version 29 release notes
  2. NVD - CVE-2019-14271
  3. docker 19.03-RC3: cp broken with debian containers (arm?)

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/docker/dockerGo
>= 19.03.0, < 19.03.119.03.1

Affected products

45

Patches

2
11e48badcb67

Merge pull request #39612 from tiborvass/cve-2019-14271

https://github.com/moby/mobyAkihiro SudaJul 26, 2019via ghsa
commit
1 file changed · +9 0
  • pkg/chrootarchive/archive.go+9 0 modified
    @@ -4,13 +4,22 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"net"
 	"os"
+	"os/user"
 	"path/filepath"
 
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/idtools"
 )
 
+func init() {
+	// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
+	// environment not in the chroot from untrusted files.
+	_, _ = user.Lookup("docker")
+	_, _ = net.LookupHost("localhost")
+}
+
 // NewArchiver returns a new Archiver which uses chrootarchive.Untar
 func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
 	if idMapping == nil {
fa8dd90ceb7b

Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host

https://github.com/moby/mobyJustin CormackJul 25, 2019via ghsa
commit
1 file changed · +9 0
  • pkg/chrootarchive/archive.go+9 0 modified
    @@ -4,13 +4,22 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"net"
 	"os"
+	"os/user"
 	"path/filepath"
 
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/idtools"
 )
 
+func init() {
+	// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
+	// environment not in the chroot from untrusted files.
+	_, _ = user.Lookup("docker")
+	_, _ = net.LookupHost("localhost")
+}
+
 // NewArchiver returns a new Archiver which uses chrootarchive.Untar
 func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
 	if idMapping == nil {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.