CVE-2014-9358
published 2014-12-16CVE-2014-9358: Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted…
PriorityP432medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EPSS
2.53%
82.9th percentile
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | docker.io | < docker.io 1.3.3~dfsg1-1 (bookworm) | docker.io 1.3.3~dfsg1-1 (bookworm) |
| docker | docker | <= 1.3.2 | — |
| github.com | docker_docker | >= 0 < 1.3.2 | 1.3.2 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_msrc6.4MEDIUM
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Directory Traversal in Docker in github.com/docker/docker
osv·2024-08-21
CVE-2014-9358 Directory Traversal in Docker in github.com/docker/docker
Directory Traversal in Docker in github.com/docker/docker
Directory Traversal in Docker in github.com/docker/docker
OSV
Directory Traversal in Docker
osv·2022-02-15
CVE-2014-9358 [MEDIUM] Directory Traversal in Docker
Directory Traversal in Docker
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."
GHSA
Directory Traversal in Docker
ghsa·2022-02-15
CVE-2014-9358 [MEDIUM] CWE-59 Directory Traversal in Docker
Directory Traversal in Docker
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."
OSV
CVE-2014-9358: Docker before 1
osv·2014-12-16·CVSS 6.4
CVE-2014-9358 [MEDIUM] CVE-2014-9358: Docker before 1
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."
Microsoft
CVE-2014-9358: NIST NVD Details: https://nvd
vendor_msrc·2021-07-13·CVSS 6.4
CVE-2014-9358 [MEDIUM] CVE-2014-9358: NIST NVD Details: https://nvd
NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2014-9358
Mariner: Mariner
[email protected]: [email protected]
Exploit Status: DOS:N/A
Remediation: moby-buildx
Red Hat
docker: Path traversal and spoofing opportunities presented through image identifiers
vendor_redhat·2014-12-11·CVSS 6.4
CVE-2014-9358 [MEDIUM] docker: Path traversal and spoofing opportunities presented through image identifiers
docker: Path traversal and spoofing opportunities presented through image identifiers
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."
Debian
CVE-2014-9358: docker.io - Docker before 1.3.3 does not properly validate image IDs, which allows remote at...
vendor_debian·2014·CVSS 6.4
CVE-2014-9358 [MEDIUM] CVE-2014-9358: docker.io - Docker before 1.3.3 does not properly validate image IDs, which allows remote at...
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."
Scope: local
bookworm: resolved (fixed in 1.3.3~dfsg1-1)
bullseye: resolved (fixed in 1.3.3~dfsg1-1)
forky: resolved (fixed in 1.3.3~dfsg1-1)
sid: resolved (fixed in 1.3.3~dfsg1-1)
trixie: resolved (fixed in 1.3.3~dfsg1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [epel-6]
bugzilla·2014-12-11·CVSS 8.6
CVE-2014-9357 [HIGH] CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [epel-6]
CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for docker-io: see blocks bug lis
Bugzilla
CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [fedora-all]
bugzilla·2014-12-11·CVSS 8.6
CVE-2014-9357 [HIGH] CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [fedora-all]
CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
Bugzilla
CVE-2014-9358 docker: Path traversal and spoofing opportunities presented through image identifiers
bugzilla·2014-12-10·CVSS 6.4
CVE-2014-9358 [MEDIUM] CVE-2014-9358 docker: Path traversal and spoofing opportunities presented through image identifiers
CVE-2014-9358 docker: Path traversal and spoofing opportunities presented through image identifiers
Docker Inc. has reported that it is possible to spoof images on the central registry. From the report:
"It has been discovered that Docker does not sufficiently validate Image IDs as provided either via 'docker load' or through registry communications. This allows for path traversal attacks, causing graph corruption and manipulation by malicious images, as well as repository spoofing attacks."
Discussion:
External References:
https://groups.google.com/forum/#!topic/docker-user/nFAz-B-n4Bw
---
Created docker-io tracking bugs for this issue:
Affects: fedora-all [bug 1173324]
Affects: epel-6 [bug 1173325]
---
This issue has been addressed in the following products:
Red Hat Enterprise
2014-12-16
Published