CVE-2018-11757

moderate-risk
Published 2018-07-23

In Docker Skeleton Runtime for Apache OpenWhisk, a Docker action inheriting the Docker tag openwhisk/dockerskeleton:1.3.0 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation.

Do I need to act?

~
2.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 891896f25c39bc336ef6dda53f80f466ac4ca3c8
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Openwhisk

Affected Vendors

Apache

References (7)

Third Party Advisory http://www.securityfocus.com/bid/104913
Patch https://github.com/apache/incubator-openwhisk-runtime-docker/commit/891896f25c39...
https://lists.apache.org/thread.html/0b6d8a677f1c063ed32eb3638ef4d1a47dfba8907de...
Mitigation https://www.puresec.io/hubfs/Apache%20OpenWhisk%20PureSec%20Security%20Advisory....
Third Party Advisory http://www.securityfocus.com/bid/104913
Patch https://github.com/apache/incubator-openwhisk-runtime-docker/commit/891896f25c39...
https://lists.apache.org/thread.html/0b6d8a677f1c063ed32eb3638ef4d1a47dfba8907de...
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 6/34 · Minimal
Exposure 5/34 · Minimal