Denial of Service Vulnerability in Docker Engine by Docker, Inc.
CVE-2018-20699

4.9MEDIUM

Key Information:

Vendor

Docker

Status
Engine
Vendor
CVE Published:
12 January 2019

What is CVE-2018-20699?

A vulnerability in Docker Engine allows attackers to exploit large integer values for the --cpuset-mems or --cpuset-cpus parameters. This can lead to excessive memory consumption by the dockerd process, resulting in a denial of service. The affected code components related to this vulnerability include daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. Users of Docker Engine versions before 18.09 should apply necessary updates to mitigate this risk.

References

https://github.com/docker/engine/pull/70
x_refsource_MISC
https://github.com/moby/moby/pull/37967
x_refsource_MISC
https://access.redhat.com/errata/RHSA-2019:0487
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-20699 : Denial of Service Vulnerability in Docker Engine by Docker, Inc.