Github.Com Docker Docker vulnerabilities
33 known vulnerabilities affecting github.com/docker_docker.
Total CVEs
33
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH10MEDIUM19LOW2
Vulnerabilities
Page 2 of 2
CVE-2015-3627P4MEDIUM≥ 0, < 1.6.12022-02-15
CVE-2015-3627 [MEDIUM] CWE-59 Symlink Attack in Libcontainer and Docker Engine
Symlink Attack in Libcontainer and Docker Engine
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.
ghsaosv
CVE-2026-41568P4MEDIUM≥ 0, ≤ 28.5.22026-05-18
CVE-2026-41568 [MEDIUM] CWE-367 Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
## Summary
A race condition during `docker cp` mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.
This advisory covers the race during mountpoint creation. The related race d
ghsa
CVE-2020-27534P4MEDIUM≥ 0, < 19.03.92024-01-31
CVE-2020-27534 [MEDIUM] CWE-22 Path Traversal in Moby builder
Path Traversal in Moby builder
util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.
ghsaosv
CVE-2024-32473P4MEDIUM≥ 26.0.0, < 26.0.22024-04-18
CVE-2024-32473 [MEDIUM] CWE-668 IPv6 enabled on IPv4-only network interfaces
IPv6 enabled on IPv4-only network interfaces
In 26.0.0 and 26.0.1, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`.
### Impact
A container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, with IPv6 enabled:
- Containers may be able to communicate with other
ghsaosv
CVE-2022-39253P4MEDIUMCVSS 5.5≥ 0, < 20.10.202022-11-11
[MEDIUM] CWE-200 Container build can leak any path on the host into the container
Container build can leak any path on the host into the container
### Description
Moby is the open source Linux container runtime and set of components used to build a variety of downstream container runtimes, including Docker CE, Mirantis Container Runtime (formerly Docker EE), and Docker Desktop. Moby allows for building container images using a set of build instructions (usually named and referred to as a "Dock
ghsaosv
CVE-2022-24769P4MEDIUM≥ 0, < 20.10.142024-04-22
CVE-2022-24769 [MEDIUM] CWE-732 Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
### Impact
A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set durin
ghsaosv
CVE-2014-3499P4HIGH≥ 0, < 1.0.12022-02-15
CVE-2014-3499 [HIGH] CWE-269 Privilege Escalation in Docker
Privilege Escalation in Docker
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.
ghsaosv
CVE-2020-8694P4MEDIUMCVSS 5.5≥ 24.0.0, < 24.0.7≥ 21.0.0, < 23.0.8+1 more2023-10-30
[MEDIUM] /sys/devices/virtual/powercap accessible by default to containers
/sys/devices/virtual/powercap accessible by default to containers
Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via `s
ghsaosv
CVE-2015-3630P4HIGH≥ 1.6.0, < 1.6.12022-02-15
CVE-2015-3630 [HIGH] CWE-285 Information Exposure in Docker Engine
Information Exposure in Docker Engine
Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.
ghsaosv
CVE-2025-54410P4LOW≥ 0, < 25.0.13≥ 26.0.0-rc1, < 28.0.02025-07-29
CVE-2025-54410 [LOW] CWE-909 Moby firewalld reload removes bridge network isolation
Moby firewalld reload removes bridge network isolation
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referred to as Docker, or Docker Engine.
Firewalld is a daemon u
ghsaosv
CVE-2014-5277P4MEDIUM≥ 0, < 1.3.12022-02-15
CVE-2014-5277 [MEDIUM] Man-in-the-Middle (MitM)
Man-in-the-Middle (MitM)
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.
ghsaosv
CVE-2025-54388P4MEDIUM≥ 28.2.0, < 28.3.32025-07-29
CVE-2025-54388 [MEDIUM] CWE-909 Moby firewalld reload makes published container ports accessible from remote hosts
Moby firewalld reload makes published container ports accessible from remote hosts
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referr
ghsaosv
CVE-2015-3631P4MEDIUM≥ 0, < 1.6.12022-02-15
CVE-2015-3631 [MEDIUM] CWE-285 Arbitrary File Override in Docker Engine
Arbitrary File Override in Docker Engine
Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc.
ghsaosv
← Previous2 / 2