CVE-2017-14992Improper Input Validation in Docker.io

CWE-20Improper Input ValidationCWE-770Allocation of Resources Without Limits or Throttling11 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 43.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Github.com Vbatts Tar-splitDebian Docker.ioDebian Golang-github-vbatts-tar-split+4 more
Timeline
PublishedNov 1
Latest updateApr 24

Description

Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages7 packages

debiandebian/docker.io< docker.io 18.03.1+dfsg1-2 (bookworm)
NVDdocker/docker1.10.3+8
debiandebian/golang-github-vbatts-tar-split< docker.io 18.03.1+dfsg1-2 (bookworm)

🔴Vulnerability Details

4
OSV
Memory exhaustion in github.com/vbatts/tar-split2025-04-24
OSV
tar-split memory exhaustion2022-05-17
GHSA
tar-split memory exhaustion2022-05-17
OSV
CVE-2017-14992: Lack of content verification in Docker-CE (Also known as Moby) versions 12017-11-01

📋Vendor Advisories

3
Microsoft
Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0 1.10.3 17.03.0 17.03.1 17.03.2 17.06.0 17.06.1 17.06.2 17.09.0 and earlier allows a remote attacker to cause a Denial o2017-11-14
Red Hat
docker: Lack of content verification2017-10-03
Debian
CVE-2017-14992: docker.io - Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0...2017

💬Community

3
Bugzilla
CVE-2017-14992 docker-latest: docker: Lack of content verification [fedora-all]2017-11-07
Bugzilla
CVE-2017-14992 docker: Lack of content verification2017-11-07
Bugzilla
CVE-2017-14992 docker: Lack of content verification [fedora-all]2017-11-07