U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:docker:docker:0.4.0:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 19 matching records.
Displaying matches 1 through 19.
Vuln ID Summary CVSS Severity
CVE-2022-25365

Docker Desktop before 4.5.1 on Windows allows attackers to move arbitrary files. NOTE: this issue exists because of an incomplete fix for CVE-2022-23774.

Published: February 18, 2022; 9:15:06 PM -0500
V3.1: 7.8 HIGH
V2.0: 4.6 MEDIUM
CVE-2021-21285

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

Published: February 02, 2021; 1:15:12 PM -0500
V3.1: 6.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-21284

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

Published: February 02, 2021; 1:15:11 PM -0500
V3.1: 6.8 MEDIUM
V2.0: 2.7 LOW
CVE-2020-27534

util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.

Published: December 30, 2020; 6:15:15 PM -0500
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2014-5278

A vulnerability exists in Docker before 1.2 via container names, which may collide with and override container IDs.

Published: February 07, 2020; 1:15:10 PM -0500
V3.1: 5.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2014-0048

An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways.

Published: January 02, 2020; 12:15:10 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2014-8179

Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation.

Published: December 17, 2019; 1:15:13 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2014-8178

Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands.

Published: December 17, 2019; 9:15:16 AM -0500
V3.1: 5.5 MEDIUM
V2.0: 1.9 LOW
CVE-2014-9356

Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.

Published: December 02, 2019; 1:15:10 PM -0500
V3.1: 8.6 HIGH
V2.0: 8.5 HIGH
CVE-2019-5736

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Published: February 11, 2019; 2:29:00 PM -0500
V3.1: 8.6 HIGH
V2.0: 9.3 HIGH
CVE-2014-5282

Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'.

Published: February 06, 2018; 11:29:00 AM -0500
V3.0: 8.1 HIGH
V2.0: 5.5 MEDIUM
CVE-2014-0047

Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage.

Published: October 06, 2017; 11:29:00 AM -0400
V3.0: 7.8 HIGH
V2.0: 4.6 MEDIUM
CVE-2016-3697

libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.

Published: June 01, 2016; 4:59:06 PM -0400
V3.1: 7.8 HIGH
V2.0: 2.1 LOW
CVE-2015-3631

Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc.

Published: May 18, 2015; 11:59:17 AM -0400
V3.x:(not available)
V2.0: 3.6 LOW
CVE-2015-3630

Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.

Published: May 18, 2015; 11:59:16 AM -0400
V3.x:(not available)
V2.0: 7.2 HIGH
CVE-2015-3627

Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.

Published: May 18, 2015; 11:59:14 AM -0400
V3.x:(not available)
V2.0: 7.2 HIGH
CVE-2014-9358

Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."

Published: December 16, 2014; 1:59:16 PM -0500
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2014-6407

Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.

Published: December 12, 2014; 10:59:04 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-5277

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.

Published: November 17, 2014; 11:59:01 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM