216.73.217.22

CVE-2017-20198

· Published 23/07/2025 14:15 · Modified 23/07/2025 14:15

Labels: CVE-2017-20198 2025-07-23CVE-2017-20198CWE-732[email protected]

Essential information

Published
23/07/2025 14:15
Modified
23/07/2025 14:15
Author
Creator
CVSS
9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount configurations, attackers can deploy a container that mounts the host's root filesystem (/) with read/write privileges. When using a malicious Docker image, the attacker can write to /etc/cron.d/ on the host, achieving arbitrary code execution with root privileges. This impacts any system where the Docker daemon honors Marathon container configurations without policy enforcement.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
dcos / marathon cpe:2.3:a:dcos:marathon:<1.9.0:*:*:*:*:*:*:*

References