Candidate: CVE-2020-14300
PublicDate: 2020-07-13 22:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14300
Description:
 The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released
 for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053
 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect
 version of runc that was missing multiple bug and security fixes. One of
 the fixes regressed in that update was the fix for CVE-2016-9962, that was
 previously corrected in the docker packages in Red Hat Enterprise Linux 7
 Extras via RHSA-2017:0116
 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was
 assigned to this security regression and it is specific to the docker
 packages produced by Red Hat. The original issue - CVE-2016-9962 - could
 possibly allow a process inside container to compromise a process entering
 container namespace and execute arbitrary code outside of the container.
 This could lead to compromise of the container host or other containers
 running on the same container host. This issue only affects a single
 version of Docker, 1.13.1-108.git4ef4b30, shipped in Red Hat Enterprise
 Linux 7. Both earlier and later versions are not affected.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H [8.8 HIGH]


Patches_docker.io:
upstream_docker.io: not-affected (debian: Red Hat specific regression)
precise/esm_docker.io: DNE
trusty_docker.io: ignored (out of standard support)
trusty/esm_docker.io: DNE
xenial_docker.io: not-affected (Red Hat specific regression)
bionic_docker.io: not-affected (Red Hat specific regression)
eoan_docker.io: not-affected (Red Hat specific regression)
focal_docker.io: not-affected (Red Hat specific regression)
devel_docker.io: not-affected (Red Hat specific regression)