CVE-2014-5277Channel Accessible by Non-Endpoint in Docker Docker

CWE-17CWE-300Channel Accessible by Non-EndpointCWE-494Download of Code Without Integrity Check15 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
0.7%
top 28.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Docker DockerDockerDocker Docker-py
Timeline
PublishedNov 17
Latest updateAug 21

Description

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

NVDdocker/docker1.3.0
NVDdocker/docker-py0.5.3

🔴Vulnerability Details

5
OSV
Man-in-the-Middle (MitM) in github.com/docker/docker2024-08-21
GHSA
Man-in-the-Middle (MitM)2022-02-15
OSV
Man-in-the-Middle (MitM)2022-02-15
OSV
CVE-2014-5277: Docker before 12014-11-17
CVEList
CVE-2014-5277: Docker before 12014-11-17

📋Vendor Advisories

4
Microsoft
CVE-2014-5277: NIST NVD Details: https://nvd2021-07-13
Red Hat
docker: regression of CVE-2014-52772015-03-27
Red Hat
docker: fallback to HTTP when HTTPS connections to the registry fail2014-10-30
Debian
CVE-2014-5277: docker.io - Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS ...2014

💬Community

5
Bugzilla
CVE-2015-1843 docker: regression of CVE-2014-5277 [fedora-all]2015-03-27
Bugzilla
CVE-2015-1843 docker: regression of CVE-2014-52772015-03-27
Bugzilla
CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail [fedora-all]2014-11-17
Bugzilla
CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail2014-11-17
Bugzilla
CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail [epel-6]2014-11-17
CVE-2014-5277 — Channel Accessible by Non-Endpoint | cvebase