CVE-2014-5277
Aliases:PYSEC-2014-80GHSA-8w94-cf6g-c8mgGO-2022-0636
Advisory lineage Upstream: 0 Downstream: 6
Modified
Published: 17 Nov 2014, 16:00
Last modified:06 Aug 2024, 11:41
Vulnerability Summary
Overall Risk (default)
low
20/100 CVSS Score
5 MEDIUM
v2.0 (nvd)
EPSS Score
0.68% LOW
1% probability -0.02%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
17 Nov 2014, 16:00
Published
Vulnerability first disclosed
06 Aug 2024, 11:41
Last Modified
Vulnerability information updated
Description
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.
CVSS Metrics
- v4.0•MEDIUM•Score: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS Trends
Current EPSS score: 0.68%• Percentile: 72%
Techniques & Countermeasures
- CWE-17•DEPRECATED: Code
This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Affected Systems
- docker•docker
≤ 1.3.0
- docker•docker-py
≤ 0.5.3
- github.com/docker•docker
< 1.3.1
- PyPI•docker-py
< 0.5.3
References (8)
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00048.html
- https://groups.google.com/forum/#%21topic/docker-user/oYm0i3xShJU
- https://groups.google.com/forum/#!topic/docker-user/oYm0i3xShJU
- https://nvd.nist.gov/vuln/detail/CVE-2014-5277
- https://github.com/docker/docker/commit/8caacb18f8019dfda30d79c327397e5f5783c068
- https://github.com/docker/docker
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5277
- https://github.com/advisories/GHSA-8w94-cf6g-c8mg