Lucene search

[email protected]CVE-2014-5277

HistoryNov 17, 2014 - 4:59 p.m.

CVE-2014-5277

2014-11-1716:59:01

CWE-17

[email protected]

web.nvd.nist.gov

docker

docker-py

vulnerability

security

cve-2014-5277

man-in-the-middle attack

http

https

downgrade attack

nvd

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.2%

JSON

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.

Affected configurations

NVD

Node

dockerdockerRange≤1.3.0

dockerdocker-pyRange≤0.5.3

CPENameOperatorVersion
docker:dockerdockerle1.3.0
docker:docker-pydocker docker-pyle0.5.3

CPE	Name	Operator	Version
docker:docker	docker	le	1.3.0
docker:docker-py	docker docker-py	le	0.5.3

References

lists.opensuse.org/opensuse-updates/2014-11/msg00048.html

groups.google.com/forum/#%21topic/docker-user/oYm0i3xShJU

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.2%

JSON

Related for CVE-2014-5277

prion2 nvd2 github1 debiancve2 ubuntucve2 osv2 cvelist2 cbl_mariner1 openvas2 nessus2 redhat1 cve1 securityvulns2