Github.Com Docker Docker vulnerabilities
33 known vulnerabilities affecting github.com/docker_docker.
Total CVEs
33
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH10MEDIUM19LOW2
Vulnerabilities
Page 1 of 2
CVE-2024-41110P2CRITICAL≥ 19.03.0, < 23.0.15≥ 26.0.0, < 26.1.5+2 more2024-07-30
CVE-2024-41110 [CRITICAL] CWE-187 Authz zero length regression
Authz zero length regression
A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass [authorization plugins (AuthZ)](https://docs.docker.com/engine/extend/plugins_authorization/) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacte
ghsaosv
CVE-2019-14271P2CRITICAL≥ 19.03.0, < 19.03.12022-05-24
CVE-2019-14271 [CRITICAL] CWE-665 Moby Docker cp broken with debian containers
Moby Docker cp broken with debian containers
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
ghsaosv
CVE-2014-9357P2HIGH≥ 0, < 1.3.32022-02-15
CVE-2014-9357 [HIGH] CWE-285 Arbitrary Code Execution
Arbitrary Code Execution
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
ghsaosv
CVE-2023-28840P3HIGH≥ 1.12.0, < 20.10.24≥ 23.0.0, < 23.0.32023-04-04
CVE-2023-28840 [HIGH] CWE-420 Docker Swarm encrypted overlay network may be unauthenticated
Docker Swarm encrypted overlay network may be unauthenticated
[Moby](https://mobyproject.org/) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referred to as *Docker*.
S
ghsaosv
CVE-2014-9356P3MEDIUM≥ 0, < 1.3.32021-05-18
CVE-2014-9356 [MEDIUM] CWE-22 Path Traversal in Docker
Path Traversal in Docker
Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.
ghsaosv
CVE-2014-6407P3HIGH≥ 0, < 1.3.22022-02-15
CVE-2014-6407 [HIGH] CWE-59 Arbitrary Code Execution in Docker
Arbitrary Code Execution in Docker
Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.
ghsaosv
CVE-2024-29018P3MEDIUM≥ 26.0.0-rc1, < 26.0.0-rc3≥ 25.0.0, < 25.0.5+1 more2024-03-20
CVE-2024-29018 [MEDIUM] CWE-669 Moby's external DNS requests from 'internal' networks could lead to data exfiltration
Moby's external DNS requests from 'internal' networks could lead to data exfiltration
Moby is an open source container framework originally developed by Docker Inc. as Docker. It is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. As a batteries-included container runtime, Moby comes with a built-in networking implementa
ghsaosv
CVE-2019-13509P3HIGH≥ 0, < 18.09.82022-05-24
CVE-2019-13509 [HIGH] CWE-532 Secret insertion into debug log in Docker
Secret insertion into debug log in Docker
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
ghsaosv
CVE-2026-41567P3HIGH≥ 0, ≤ 28.5.22026-05-18
CVE-2026-41567 [HIGH] CWE-427 Docker: `PUT /containers/{id}/archive` executes container binary on the host
Docker: `PUT /containers/{id}/archive` executes container binary on the host
## Summary
When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon (host root) privileges.
## Details
When handling `PUT /containers/{id}/archive` requests with compressed archives, the daemon decompresses them using external system binaries. Due to in
ghsa
CVE-2023-28842P3MEDIUM≥ 1.12.0, < 20.10.24≥ 23.0.0, < 23.0.32023-04-04
CVE-2023-28842 [MEDIUM] CWE-420 Docker Swarm encrypted overlay network with a single endpoint is unauthenticated
Docker Swarm encrypted overlay network with a single endpoint is unauthenticated
[Moby](https://mobyproject.org/) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as [moby/moby](https://github.com/moby/moby)
ghsaosv
CVE-2024-24557P3MEDIUM≥ 0, < 24.0.9≥ 25.0.0, < 25.0.22024-02-01
CVE-2024-24557 [MEDIUM] CWE-345 Classic builder cache poisoning
Classic builder cache poisoning
The classic builder cache system is prone to cache poisoning if the image is built `FROM scratch`.
Also, changes to some instructions (most important being `HEALTHCHECK` and `ONBUILD`) would not cause a cache miss.
An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candida
ghsaosv
CVE-2023-28841P3MEDIUM≥ 1.12.0, < 20.10.24≥ 23.0.0, < 23.0.32023-04-04
CVE-2023-28841 [MEDIUM] CWE-311 Docker Swarm encrypted overlay network traffic may be unencrypted
Docker Swarm encrypted overlay network traffic may be unencrypted
[Moby](https://mobyproject.org/) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referred to as *D
ghsaosv
CVE-2018-12608P3HIGH≥ 0, < 17.06.0-ce2024-01-31
CVE-2018-12608 [HIGH] CWE-288 Docker Authentication Bypass
Docker Authentication Bypass
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.
ghsaosv
CVE-2026-42306P3HIGH≥ 0, ≤ 28.5.22026-05-18
CVE-2026-42306 [HIGH] CWE-367 Docker: Race condition in docker cp allows bind mount redirection to host path
Docker: Race condition in docker cp allows bind mount redirection to host path
## Summary
A race condition during `docker cp` mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service.
## Details
When copying files into a container, the daemon sets up a temporary filesystem view b
ghsa
CVE-2022-36109P3MEDIUM≥ 0, < 20.10.182022-09-16
CVE-2022-36109 [MEDIUM] CWE-863 Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions
Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manip
ghsaosv
CVE-2015-3629P3HIGH≥ 1.6.0, < 1.6.12022-02-15
CVE-2015-3629 [HIGH] CWE-59 Arbitrary File Write in Libcontainer
Arbitrary File Write in Libcontainer
Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization ("mount namespace breakout") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container.
ghsaosv
CVE-2021-41091P3MEDIUM≥ 0, < 20.10.92024-01-31
CVE-2021-41091 [MEDIUM] CWE-281 Moby (Docker Engine) Insufficiently restricted permissions on data directory
Moby (Docker Engine) Insufficiently restricted permissions on data directory
## Impact
A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable progr
ghsaosv
CVE-2014-9358P4MEDIUM≥ 0, < 1.3.22022-02-15
CVE-2014-9358 [MEDIUM] CWE-59 Directory Traversal in Docker
Directory Traversal in Docker
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."
ghsaosv
CVE-2014-6408P4MEDIUM≥ 1.3.0, < 1.3.22022-02-15
CVE-2014-6408 [MEDIUM] CWE-285 Access Restriction Bypass in Docker
Access Restriction Bypass in Docker
Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image.
ghsaosv
CVE-2021-41089P4LOW≥ 0, < 20.10.92024-06-10
CVE-2021-41089 [LOW] CWE-281 `docker cp` allows unexpected chmod of host files in Moby Docker Engine
`docker cp` allows unexpected chmod of host files in Moby Docker Engine
## Impact
A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed with
ghsaosv
1 / 2Next →