Published: 16/12/2014 Updated: 07/11/2023

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

VMScore: 570

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Docker prior to 1.3.3 does not properly validate image IDs, which allows remote malicious users to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."

Vulnerable Product	Search on Vulmon	Subscribe to Product
docker docker

Debian Bug report logs - #772909 dockerio: CVE-2014-9356 CVE-2014-9357 CVE-2014-9358 Package: src:dockerio; Maintainer for src:dockerio is Dmitry Smirnov <onlyjob@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 12 Dec 2014 05:45:02 UTC Severity: grave Tags: fixed-upstream, security, u ...

Path traversal attacks are possible in the processing of absolute symlinks In checking symlinks for traversals, only relative links were considered This allowed path traversals to exist where they should have otherwise been prevented This was exploitable via both archive extraction and through volume mounts This vulnerability allowed malicious ...

Docker before 133 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications" ...

CWE-20 http://www.securityfocus.com/archive/1/534215/100/0/threaded https://groups.google.com/forum/#%21msg/docker-user/nFAz-B-n4Bw/0wr3wvLsnUwJ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772909 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-9358 https://alas.aws.amazon.com/ALAS-2014-461.html

CVE-2014-9358

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect