Computer Security
[EN] no-pyccku

Docker multiple security vulnerabilities
updated since 01.12.2014
SecurityVulns ID:14116
Threat Level:
Description:Symbolic links vulnerability, directory traversal, privilege escalation.
Affected:DOCKER : Docker 1.3
CVE:CVE-2014-9358 (Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications.")
 CVE-2014-9357 (Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.)
 CVE-2014-5277 (Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.)
Original documentdocumentDOCKER, Docker 1.3.3 - Security Advisory [11 Dec 2014] (22.12.2014)
 documentDOCKER, Docker 1.3.2 - Security Advisory [24 Nov 2014] (01.12.2014)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod