MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTh3OTQtY2Y2Zy1jOG1n

Moderate CVSS: 6.9 EPSS: 0.00699% (0.70648 Percentile) EPSS:

Permalink JSON

Man-in-the-Middle (MitM)

Affected Packages	Affected Versions	Fixed Versions
go:github.com/docker/docker PURL: `pkg:go/github.com%2Fdocker%2Fdocker`	< 1.3.1	1.3.1
16,935 Dependent packages 40,103 Dependent repositories Affected Version Ranges All affected versions v0.1.0, v0.1.1, v0.1.2, v0.1.3, v0.1.4, v0.1.5, v0.1.6, v0.1.7, v0.1.8, v0.2.0, v0.2.1, v0.2.2, v0.3.0, v0.3.1, v0.3.2, v0.3.3, v0.3.4, v0.4.0, v0.4.1, v0.4.2, v0.4.3, v0.4.4, v0.4.5, v0.4.6, v0.4.7, v0.4.8, v0.5.0, v0.5.1, v0.5.2, v0.5.3, v0.6.0, v0.6.1, v0.6.2, v0.6.3, v0.6.4, v0.6.5, v0.6.6, v0.6.7, v0.7.0, v0.7.0-rc1, v0.7.0-rc2, v0.7.0-rc3, v0.7.0-rc4, v0.7.0-rc5, v0.7.0-rc6, v0.7.0-rc7, v0.7.1, v0.7.2, v0.7.3, v0.7.4, v0.7.5, v0.7.6, v0.8.0, v0.8.1, v0.9.0, v0.9.1, v0.10.0, v0.11.0, v0.11.1, v0.12.0, v1.0.0, v1.0.1, v1.1.0, v1.1.1, v1.1.2, v1.2.0, v1.3.0 All unaffected versions v1.3.1, v1.3.2, v1.3.3, v1.4.0, v1.4.1, v1.5.0, v1.6.0, v1.6.1, v1.6.2, v1.7.0, v1.7.1, v1.8.0, v1.8.1, v1.8.2, v1.8.3, v1.9.0, v1.9.1, v1.10.0, v1.10.1, v1.10.2, v1.10.3, v1.11.0, v1.11.1, v1.11.2, v1.12.0, v1.12.1, v1.12.2, v1.12.3, v1.12.4, v1.12.5, v1.12.6, v1.13.0, v1.13.1, v20.10.0+incompatible, v20.10.1+incompatible, v20.10.2+incompatible, v20.10.3+incompatible, v20.10.4+incompatible, v20.10.5+incompatible, v20.10.6+incompatible, v20.10.7+incompatible, v20.10.8+incompatible, v20.10.9+incompatible, v20.10.10+incompatible, v20.10.11+incompatible, v20.10.12+incompatible, v20.10.13+incompatible, v20.10.14+incompatible, v20.10.15+incompatible, v20.10.16+incompatible, v20.10.17+incompatible, v20.10.18+incompatible, v20.10.19+incompatible, v20.10.20+incompatible, v20.10.21+incompatible, v20.10.22+incompatible, v20.10.23+incompatible, v20.10.24+incompatible, v20.10.25+incompatible, v20.10.26+incompatible, v20.10.27+incompatible, v23.0.0+incompatible, v23.0.1+incompatible, v23.0.2+incompatible, v23.0.3+incompatible, v23.0.4+incompatible, v23.0.5+incompatible, v23.0.6+incompatible, v23.0.7+incompatible, v23.0.8+incompatible, v23.0.9+incompatible, v23.0.10+incompatible, v23.0.11+incompatible, v23.0.12+incompatible, v23.0.13+incompatible, v23.0.14+incompatible, v23.0.15+incompatible, v23.0.16+incompatible, v23.0.17+incompatible, v23.0.18+incompatible, v24.0.0+incompatible, v24.0.1+incompatible, v24.0.2+incompatible, v24.0.3+incompatible, v24.0.4+incompatible, v24.0.5+incompatible, v24.0.6+incompatible, v24.0.7+incompatible, v24.0.8+incompatible, v24.0.9+incompatible, v25.0.0+incompatible, v25.0.1+incompatible, v25.0.2+incompatible, v25.0.3+incompatible, v25.0.4+incompatible, v25.0.5+incompatible, v25.0.6+incompatible, v25.0.7+incompatible, v25.0.8+incompatible, v25.0.9+incompatible, v25.0.10+incompatible, v25.0.11+incompatible, v25.0.12+incompatible, v25.0.13+incompatible, v26.0.0+incompatible, v26.0.1+incompatible, v26.0.2+incompatible, v26.1.0+incompatible, v26.1.1+incompatible, v26.1.2+incompatible, v26.1.3+incompatible, v26.1.4+incompatible, v26.1.5+incompatible, v27.0.0+incompatible, v27.0.1+incompatible, v27.0.2+incompatible, v27.0.3+incompatible, v27.1.0+incompatible, v27.1.1+incompatible, v27.1.2+incompatible, v27.2.0+incompatible, v27.2.1+incompatible, v27.3.0+incompatible, v27.3.1+incompatible, v27.4.0+incompatible, v27.4.1+incompatible, v27.5.0+incompatible, v27.5.1+incompatible, v28.0.0+incompatible, v28.0.1+incompatible, v28.0.2+incompatible, v28.0.3+incompatible, v28.0.4+incompatible, v28.1.0+incompatible, v28.1.1+incompatible, v28.2.0+incompatible, v28.2.1+incompatible, v28.2.2+incompatible, v28.3.0+incompatible, v28.3.1+incompatible, v28.3.2+incompatible, v28.3.3+incompatible, v28.4.0+incompatible, v28.5.0+incompatible, v28.5.1+incompatible

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.

References:

Identifiers

GHSA-8w94-cf6g-c8mg

CVE-2014-5277

Risk

Severity

Moderate

CVSS

CVSS Score: 6.9

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00699

EPSS Percentile: 0.70648

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/docker/docker

Date and time

Published

over 3 years ago

Updated

12 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories