CVE-2016-7569 Docker2aci Project CVE debrief

Who should care

Teams that use docker2aci to process container images, especially where images may come from less trusted sources or automated build pipelines, should treat this as a file-write integrity risk and verify they are not running affected versions.

Technical summary

The vulnerability is described as a directory traversal condition in embedded layer data within an image, where dot-dot path elements can be used to escape intended extraction paths. NVD classifies the weakness as CWE-22 and lists the CVSS v3.0 vector as AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating a high integrity impact with no confidentiality or availability impact scored. The affected version range in NVD ends at 0.12.3, with v0.13.0 referenced as the corrective release.

Defensive priority

Medium. This is not a remote code execution issue, but arbitrary file write conditions can still be serious in build, packaging, or extraction workflows that handle untrusted input.

Recommended defensive actions

• Upgrade docker2aci to v0.13.0 or later.
• Audit any systems that process untrusted or externally supplied container images with docker2aci.
• Review downstream pipelines for unexpected file modifications or extraction behavior.
• Restrict who can supply images to affected workflows until remediation is complete.
• Validate that deployment artifacts are sourced from fixed, trusted builds rather than affected versions.

Evidence notes

Source corpus ties the issue to CWE-22 and a vulnerable version range through 0.12.3, with references to OSS Security mailing list posts, a GitHub issue, and the v0.13.0 release. The official NVD entry also provides the CVSS v3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The public disclosure trail in the supplied references dates to 2016-09-28, while the CVE record was published on 2017-01-27.

Official resources