CVE-2015-1843 — Improper Input Validation in Redhat Docker

CWE-20 — Improper Input Validation CWE-300 — Channel Accessible by Non-Endpoint CWE-494 — Download of Code Without Integrity Check6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

1.5%

top 18.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Docker Debian Docker.io

Timeline

PublishedApr 6

Latest updateMay 17

Description

The Red Hat docker package before 1.5.0-28, when using the --add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. NOTE: this vulnerability exists because of a CVE-2014-5277 regression.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDredhat/docker1.5.0-27

▶debiandebian/docker.io

🔴Vulnerability Details

GHSA

GHSA-m568-g4fp-65j5: The Red Hat docker package before 1↗2022-05-17

▶

📋Vendor Advisories

Red Hat

docker: regression of CVE-2014-5277↗2015-03-27

▶

Debian

CVE-2015-1843: docker.io - The Red Hat docker package before 1.5.0-28, when using the --add-registry option...↗2015

▶

💬Community

Bugzilla

CVE-2015-1843 docker: regression of CVE-2014-5277 [fedora-all]↗2015-03-27

▶

Bugzilla

CVE-2015-1843 docker: regression of CVE-2014-5277↗2015-03-27

▶