CVE-2018-15869

NameCVE-2018-15869
DescriptionAn Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, may unintentionally load an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs907298

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
packer (PTS)stretch0.10.2+dfsg-6fixed
stretch (security)0.10.2+dfsg-6+deb9u1fixed
buster1.3.4+dfsg-4fixed
bullseye, sid1.6.6+ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
packersourcestretch(not affected)
packersource(unstable)1.3.1+dfsg-1low907298

Notes

[stretch] - packer <not-affected> (Vulnerable code added later)
https://github.com/hashicorp/packer/issues/6584
https://github.com/aws/aws-cli/issues/3629

Search for package or bug name: Reporting problems