Fluid Attacks Database

Description

Man-in-the-Middle (MitM) Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	docker.io	>=0 <1.3.1~dfsg1-1	1.3.1~dfsg1-1
pypi	docker-py	=0.0.4 \|\| =0.0.5 \|\| =0.0.6 \|\| =0.1.0 \|\| =0.1.1 \|\| =0.1.2 \|\| =0.1.3 \|\| =0.1.4 \|\| =0.1.5 \|\| =0.2.0 \|\| =0.2.1 \|\| =0.2.2 \|\| =0.2.3 \|\| =0.3.0 \|\| =0.3.1 \|\| =0.3.2 \|\| =0.4.0 \|\| =0.5.0 \|\| =0.5.1 \|\| =0.5.2 \|\| >=0 <0.5.3	0.5.3
debian 13	docker.io	>=0 <1.3.1~dfsg1-1	1.3.1~dfsg1-1
go	github.com/docker/docker	>=0 <1.3.1	1.3.1
debian 14	docker.io	>=0 <1.3.1~dfsg1-1	1.3.1~dfsg1-1
debian 11	docker.io	>=0 <1.3.1~dfsg1-1	1.3.1~dfsg1-1
rpm rhel7	docker	-	-

Aliases

1. CVE-2014-52772. NVD-2014-52773. OSV-DEBIAN-2014-52774. OSV-2014-52775. OSV-PYSEC-2014-806. GCVE-2014-52777. SECURITY-TRACKER-CVE-2014-5277

References

1. http://lists.opensuse.org/opensuse-updates/2014-11/msg00048.html2. https://groups.google.com/forum/#!topic/docker-user/oYm0i3xShJU3. https://github.com/docker/docker/commit/8caacb18f8019dfda30d79c327397e5f5783c0684. https://groups.google.com/forum/#%21topic/docker-user/oYm0i3xShJU5. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5277

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.