{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-04-03T00:00:00", "descriptions": [{"lang": "en", "value": "The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a \"double-chroot attack.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "SUSE-SU-2015:2292", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00018.html"}, {"name": "RHSA-2015:2636", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-2636.html"}, {"name": "DSA-3372", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3372"}, {"name": "[containers] 20150403 [PATCH review 17/19] vfs: Test for and handle paths that are unreachable from their mnt_root", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://permalink.gmane.org/gmane.linux.kernel.containers/29173"}, {"name": "RHSA-2016:0068", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0068.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f22&id=520b64102de2f184036024b2a53de2b67463bd78"}, {"name": "SUSE-SU-2016:0337", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00009.html"}, {"name": "USN-2792-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2792-1"}, {"name": "73926", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/73926"}, {"name": "SUSE-SU-2016:0434", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00034.html"}, {"name": "DSA-3364", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3364"}, {"name": "USN-2794-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2794-1"}, {"name": "USN-2799-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2799-1"}, {"name": "USN-2795-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2795-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"name": "SUSE-SU-2015:2194", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00005.html"}, {"name": "SUSE-SU-2016:0380", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00017.html"}, {"name": "SUSE-SU-2016:0335", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00007.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"name": "[containers] 20150403 [PATCH review 19/19] vfs: Do not allow escaping from bind mounts.", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://permalink.gmane.org/gmane.linux.kernel.containers/29177"}, {"name": "SUSE-SU-2016:0383", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00019.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cde93be45a8a90d8c264c776fab63487b5038a65"}, {"name": "SUSE-SU-2016:0386", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00021.html"}, {"name": "[oss-security] 20150404 Re: Linux namespaces: It is possible to escape from bind mounts", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/04/04/4"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.4"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209367"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=397d425dc26da728396e66d392d5dcb8dac30c37"}, {"name": "SUSE-SU-2016:0384", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/torvalds/linux/commit/cde93be45a8a90d8c264c776fab63487b5038a65"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209373"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/torvalds/linux/commit/397d425dc26da728396e66d392d5dcb8dac30c37"}, {"name": "SUSE-SU-2016:0387", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00022.html"}, {"name": "SUSE-SU-2016:0381", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00018.html"}, {"name": "USN-2798-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2798-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-2925", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a \"double-chroot attack.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "SUSE-SU-2015:2292", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00018.html"}, {"name": "RHSA-2015:2636", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-2636.html"}, {"name": "DSA-3372", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3372"}, {"name": "[containers] 20150403 [PATCH review 17/19] vfs: Test for and handle paths that are unreachable from their mnt_root", "refsource": "MLIST", "url": "http://permalink.gmane.org/gmane.linux.kernel.containers/29173"}, {"name": "RHSA-2016:0068", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-0068.html"}, {"name": "http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f22&id=520b64102de2f184036024b2a53de2b67463bd78", "refsource": "CONFIRM", "url": "http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f22&id=520b64102de2f184036024b2a53de2b67463bd78"}, {"name": "SUSE-SU-2016:0337", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00009.html"}, {"name": "USN-2792-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2792-1"}, {"name": "73926", "refsource": "BID", "url": "http://www.securityfocus.com/bid/73926"}, {"name": "SUSE-SU-2016:0434", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00034.html"}, {"name": "DSA-3364", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3364"}, {"name": "USN-2794-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2794-1"}, {"name": "USN-2799-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2799-1"}, {"name": "USN-2795-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2795-1"}, {"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"name": "SUSE-SU-2015:2194", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00005.html"}, {"name": "SUSE-SU-2016:0380", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00017.html"}, {"name": "SUSE-SU-2016:0335", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00007.html"}, {"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"name": "[containers] 20150403 [PATCH review 19/19] vfs: Do not allow escaping from bind mounts.", "refsource": "MLIST", "url": "http://permalink.gmane.org/gmane.linux.kernel.containers/29177"}, {"name": "SUSE-SU-2016:0383", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00019.html"}, {"name": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cde93be45a8a90d8c264c776fab63487b5038a65", "refsource": "CONFIRM", "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cde93be45a8a90d8c264c776fab63487b5038a65"}, {"name": "SUSE-SU-2016:0386", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00021.html"}, {"name": "[oss-security] 20150404 Re: Linux namespaces: It is possible to escape from bind mounts", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/04/04/4"}, {"name": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.4", "refsource": "CONFIRM", "url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.4"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1209367", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209367"}, {"name": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=397d425dc26da728396e66d392d5dcb8dac30c37", "refsource": "CONFIRM", "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=397d425dc26da728396e66d392d5dcb8dac30c37"}, {"name": "SUSE-SU-2016:0384", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00020.html"}, {"name": "https://github.com/torvalds/linux/commit/cde93be45a8a90d8c264c776fab63487b5038a65", "refsource": "CONFIRM", "url": "https://github.com/torvalds/linux/commit/cde93be45a8a90d8c264c776fab63487b5038a65"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1209373", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209373"}, {"name": "https://github.com/torvalds/linux/commit/397d425dc26da728396e66d392d5dcb8dac30c37", "refsource": "CONFIRM", "url": "https://github.com/torvalds/linux/commit/397d425dc26da728396e66d392d5dcb8dac30c37"}, {"name": "SUSE-SU-2016:0387", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00022.html"}, {"name": "SUSE-SU-2016:0381", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00018.html"}, {"name": "USN-2798-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2798-1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:32:20.368Z"}, "title": "CVE Program Container", "references": [{"name": "SUSE-SU-2015:2292", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00018.html"}, {"name": "RHSA-2015:2636", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-2636.html"}, {"name": "DSA-3372", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3372"}, {"name": "[containers] 20150403 [PATCH review 17/19] vfs: Test for and handle paths that are unreachable from their mnt_root", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://permalink.gmane.org/gmane.linux.kernel.containers/29173"}, {"name": "RHSA-2016:0068", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0068.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f22&id=520b64102de2f184036024b2a53de2b67463bd78"}, {"name": "SUSE-SU-2016:0337", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00009.html"}, {"name": "USN-2792-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2792-1"}, {"name": "73926", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/73926"}, {"name": "SUSE-SU-2016:0434", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00034.html"}, {"name": "DSA-3364", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3364"}, {"name": "USN-2794-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2794-1"}, {"name": "USN-2799-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2799-1"}, {"name": "USN-2795-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2795-1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"name": "SUSE-SU-2015:2194", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00005.html"}, {"name": "SUSE-SU-2016:0380", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00017.html"}, {"name": "SUSE-SU-2016:0335", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00007.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"name": "[containers] 20150403 [PATCH review 19/19] vfs: Do not allow escaping from bind mounts.", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://permalink.gmane.org/gmane.linux.kernel.containers/29177"}, {"name": "SUSE-SU-2016:0383", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00019.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cde93be45a8a90d8c264c776fab63487b5038a65"}, {"name": "SUSE-SU-2016:0386", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00021.html"}, {"name": "[oss-security] 20150404 Re: Linux namespaces: It is possible to escape from bind mounts", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/04/04/4"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.4"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209367"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=397d425dc26da728396e66d392d5dcb8dac30c37"}, {"name": "SUSE-SU-2016:0384", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00020.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/torvalds/linux/commit/cde93be45a8a90d8c264c776fab63487b5038a65"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209373"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/torvalds/linux/commit/397d425dc26da728396e66d392d5dcb8dac30c37"}, {"name": "SUSE-SU-2016:0387", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00022.html"}, {"name": "SUSE-SU-2016:0381", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00018.html"}, {"name": "USN-2798-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2798-1"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-2925", "datePublished": "2015-11-16T11:00:00", "dateReserved": "2015-04-04T00:00:00", "dateUpdated": "2024-08-06T05:32:20.368Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE120905-B567-4C6A-B5FB-D67BD7F739FC", "versionEndExcluding": "3.2.72", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C8B61A5-8FAD-4BD3-97B3-C58F7C345068", "versionEndExcluding": "3.4.110", "versionStartIncluding": "3.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8B1C5C6-5CD1-49CF-8D7E-35F0C521C7B0", "versionEndExcluding": "3.10.91", "versionStartIncluding": "3.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BAC04088-506C-43F4-A117-588E491AAB0F", "versionEndExcluding": "3.12.49", "versionStartIncluding": "3.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8E1FD15-2457-4F3A-8646-72F09023DC8E", "versionEndExcluding": "3.14.55", "versionStartIncluding": "3.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DC4BA70-B111-4D2E-BC78-6601CED68F08", "versionEndExcluding": "3.16.35", "versionStartIncluding": "3.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7043CE62-482A-4B0E-8EE0-6BD0414183E4", "versionEndExcluding": "3.18.23", "versionStartIncluding": "3.17", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "06F92550-FE49-41E4-AD36-3231D9425CFF", "versionEndExcluding": "4.1.11", "versionStartIncluding": "3.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A544034C-A7B8-4387-9EC2-E9AD5D6C0163", "versionEndExcluding": "4.2.4", "versionStartIncluding": "4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*", "matchCriteriaId": "CB66DB75-2B16-4EBF-9B93-CE49D8086E41", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*", "matchCriteriaId": "F38D3B7E-8429-473F-BB31-FC3583EE5A5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a \"double-chroot attack.\""}, {"lang": "es", "value": "La funci\u00f3n prepend_path en fs/dcache.c en el kernel Linux en versiones anteriores a 4.2.4 no maneja adecuadamente el cambio de nombre de las acciones dentro de un enlace de montaje, lo que permite a usuarios locales eludir un mecanismo de protecci\u00f3n destinado al contenedor mediante el cambio de nombre de un directorio, relacionado con un 'double-chroot attack'."}], "id": "CVE-2015-2925", "lastModified": "2024-07-17T15:29:49.973", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-11-16T11:59:00.117", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=397d425dc26da728396e66d392d5dcb8dac30c37"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cde93be45a8a90d8c264c776fab63487b5038a65"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00005.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00018.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00007.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00009.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00017.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00018.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00019.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00020.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00021.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00022.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00034.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://permalink.gmane.org/gmane.linux.kernel.containers/29173"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://permalink.gmane.org/gmane.linux.kernel.containers/29177"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?h=f22&id=520b64102de2f184036024b2a53de2b67463bd78"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-2636.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0068.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3364"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3372"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.4"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/04/04/4"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/73926"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2792-1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2794-1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2795-1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2798-1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2799-1"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209367"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209373"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/torvalds/linux/commit/397d425dc26da728396e66d392d5dcb8dac30c37"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/torvalds/linux/commit/cde93be45a8a90d8c264c776fab63487b5038a65"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:2636", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "kernel-0:2.6.32-573.12.1.el6", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2015-12-15T00:00:00Z"}, {"advisory": "RHSA-2015:2411", "cpe": "cpe:/a:redhat:rhel_extras_rt:7", "package": "kernel-rt-0:3.10.0-327.rt56.204.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-11-19T00:00:00Z"}, {"advisory": "RHSA-2015:2152", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "kernel-0:3.10.0-327.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-11-19T00:00:00Z"}, {"advisory": "RHSA-2015:2587", "cpe": "cpe:/o:redhat:rhel_eus:7.1", "package": "kernel-0:3.10.0-229.24.2.ael7b", "product_name": "Red Hat Enterprise Linux 7.1 Extended Update Support", "release_date": "2015-12-09T00:00:00Z"}, {"advisory": "RHSA-2016:0068", "cpe": "cpe:/a:redhat:enterprise_mrg:2:server:el6", "package": "kernel-rt-1:3.10.0-327.rt56.170.el6rt", "product_name": "Red Hat Enterprise MRG 2", "release_date": "2016-01-26T00:00:00Z"}], "bugzilla": {"description": "Kernel: vfs: Do not allow escaping from bind mounts", "id": "1209367", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1209367"}, "csaw": false, "cvss": {"cvss_base_score": "6.0", "cvss_scoring_vector": "AV:L/AC:H/Au:S/C:C/I:C/A:C", "status": "verified"}, "cwe": "CWE-22", "details": ["The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a \"double-chroot attack.\"", "A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system."], "name": "CVE-2015-2925", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 5"}], "public_date": "2015-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-2925\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-2925"], "statement": "This issue does not affect the version of the kernel package as shipped with Red Hat Enterprise Linux 5.\nThis issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 6 and 7 and Red Hat Enterprise MRG 2. Future kernel updates for the respective releases may address this issue.", "threat_severity": "Important"}