CVE-2014-5277
published 2014-11-17CVE-2014-5277: Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to…
PriorityP423medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.87%
76.7th percentile
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | docker.io | < docker.io 1.3.1~dfsg1-1 (bookworm) | docker.io 1.3.1~dfsg1-1 (bookworm) |
| debian | docker.io | — | — |
| docker | docker | <= 1.3.0 | — |
| docker | docker-py | <= 0.5.3 | — |
| github.com | docker_docker | >= 0 < 1.3.1 | 1.3.1 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| redhat | docker | <= 1.5.0-27 | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_msrc5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Man-in-the-Middle (MitM) in github.com/docker/docker
osv·2024-08-21
CVE-2014-5277 Man-in-the-Middle (MitM) in github.com/docker/docker
Man-in-the-Middle (MitM) in github.com/docker/docker
Man-in-the-Middle (MitM) in github.com/docker/docker
GHSA
GHSA-m568-g4fp-65j5: The Red Hat docker package before 1
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2015-1843 [MEDIUM] CWE-20 GHSA-m568-g4fp-65j5: The Red Hat docker package before 1
The Red Hat docker package before 1.5.0-28, when using the --add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. NOTE: this vulnerability exists because of a CVE-2014-5277 regression.
GHSA
Man-in-the-Middle (MitM)
ghsa·2022-02-15
CVE-2014-5277 [MEDIUM] Man-in-the-Middle (MitM)
Man-in-the-Middle (MitM)
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.
OSV
Man-in-the-Middle (MitM)
osv·2022-02-15
CVE-2014-5277 [MEDIUM] Man-in-the-Middle (MitM)
Man-in-the-Middle (MitM)
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.
OSV
CVE-2014-5277: Docker before 1
osv·2014-11-17·CVSS 5.0
CVE-2014-5277 [MEDIUM] CVE-2014-5277: Docker before 1
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.
Microsoft
CVE-2014-5277: NIST NVD Details: https://nvd
vendor_msrc·2021-07-13·CVSS 5.0
CVE-2014-5277 [MEDIUM] CVE-2014-5277: NIST NVD Details: https://nvd
NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2014-5277
Mariner: Mariner
[email protected]: [email protected]
Exploit Status: DOS:N/A
Remediation: moby-buildx
Red Hat
docker: regression of CVE-2014-5277
vendor_redhat·2015-03-27·CVSS 5.0
CVE-2015-1843 [MEDIUM] CWE-300 docker: regression of CVE-2014-5277
docker: regression of CVE-2014-5277
The Red Hat docker package before 1.5.0-28, when using the --add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. NOTE: this vulnerability exists because of a CVE-2014-5277 regression.
It was found that the fix for the CVE-2014-5277 issue was incomplete: the docker client could under certain circumstances erroneously fall back to HTTP when an HTTPS connection to a registry failed. This could allow a man-in-the-middle attacker to obtain authentication and image data from traffic sent from a client to the registry.
Debian
CVE-2015-1843: docker.io - The Red Hat docker package before 1.5.0-28, when using the --add-registry option...
vendor_debian·2015·CVSS 5.0
CVE-2015-1843 [MEDIUM] CVE-2015-1843: docker.io - The Red Hat docker package before 1.5.0-28, when using the --add-registry option...
The Red Hat docker package before 1.5.0-28, when using the --add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. NOTE: this vulnerability exists because of a CVE-2014-5277 regression.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Red Hat
docker: fallback to HTTP when HTTPS connections to the registry fail
vendor_redhat·2014-10-30·CVSS 5.0
CVE-2014-5277 [MEDIUM] CWE-300 docker: fallback to HTTP when HTTPS connections to the registry fail
docker: fallback to HTTP when HTTPS connections to the registry fail
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.
Package: docker (Red Hat Enterprise Linux 7) - Affected
Debian
CVE-2014-5277: docker.io - Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS ...
vendor_debian·2014·CVSS 5.0
CVE-2014-5277 [MEDIUM] CVE-2014-5277: docker.io - Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS ...
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.
Scope: local
bookworm: resolved (fixed in 1.3.1~dfsg1-1)
bullseye: resolved (fixed in 1.3.1~dfsg1-1)
forky: resolved (fixed in 1.3.1~dfsg1-1)
sid: resolved (fixed in 1.3.1~dfsg1-1)
trixie: resolved (fixed in 1.3.1~dfsg1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-1843 docker: regression of CVE-2014-5277 [fedora-all]
bugzilla·2015-03-27·CVSS 5.0
CVE-2015-1843 [MEDIUM] CVE-2015-1843 docker: regression of CVE-2014-5277 [fedora-all]
CVE-2015-1843 docker: regression of CVE-2014-5277 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While o
Bugzilla
CVE-2015-1843 docker: regression of CVE-2014-5277
bugzilla·2015-03-27·CVSS 5.0
CVE-2015-1843 [MEDIUM] CVE-2015-1843 docker: regression of CVE-2014-5277
CVE-2015-1843 docker: regression of CVE-2014-5277
A regression of CVE-2014-5277 was found in the current version of the docker client on RHEL 7.1 (Docker version 1.4.1-dev, build d26b358/1.4.1).
Acknowledgements:
Red Hat would like to thank Eric Windisch of Docker Inc. for reporting this issue.
Discussion:
Created docker tracking bugs for this issue:
Affects: fedora-all [bug 1206447]
---
Since we just shipped or are about to ship docker-1.5, are we all set?
---
(In reply to Daniel Walsh from comment #3)
> Since we just shipped or are about to ship docker-1.5, are we all set?
>
Unfortunately, I don't think so.
Docker Inc. reported it to us as a RHEL specific problem. However, I built a fresh build of 1.5 straight from github that has the same issue, so it's looking more and more
Bugzilla
CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail [fedora-all]
bugzilla·2014-11-17·CVSS 5.0
CVE-2014-5277 [MEDIUM] CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail [fedora-all]
CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail
bugzilla·2014-11-17·CVSS 5.0
CVE-2014-5277 [MEDIUM] CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail
CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-5277 to
the following vulnerability:
Name: CVE-2014-5277
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5277
Assigned: 20140816
Reference: https://groups.google.com/forum/#!topic/docker-user/oYm0i3xShJU
Reference: http://lists.opensuse.org/opensuse-updates/2014-11/msg00048.html
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when
the HTTPS connection to the registry fails, which allows
man-in-the-middle attackers to conduct downgrade attacks and obtain
authentication and image data by leveraging a network position between
the client and the registry to block HTTPS traffic.
Discussion:
Created docker tracki
Bugzilla
CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail [epel-6]
bugzilla·2014-11-17·CVSS 5.0
CVE-2014-5277 [MEDIUM] CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail [epel-6]
CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for docker: see b
2014-11-17
Published