CVE-2018-15869

NameCVE-2018-15869
DescriptionAn Amazon Web Services (AWS) developer who does not specify the --owners flag when describing images via AWS CLI, and therefore not properly validating source software per AWS recommended security best practices, may unintentionally load an undesired and potentially malicious Amazon Machine Image (AMI) from the uncurated public community AMI catalog.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs907298

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
packer (PTS)stretch (security), stretch (lts), stretch0.10.2+dfsg-6+deb9u1fixed
buster (security), buster, buster (lts)1.3.4+dfsg-4+deb10u1fixed
bullseye1.6.6+ds1-2fixed
bookworm1.6.6+ds2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
packersourcestretch(not affected)
packersource(unstable)1.3.1+dfsg-1low907298

Notes

[stretch] - packer <not-affected> (Vulnerable code added later)
https://github.com/hashicorp/packer/issues/6584
https://github.com/aws/aws-cli/issues/3629
Search for package or bug name: Reporting problems