CVE-2014-8178

Published: 17 December 2019

Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands.

Priority

Low

CVSS 3 base score: 5.5

Status

Package Release Status
docker.io
Launchpad, Ubuntu, Debian
Upstream
Released (1.8.3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.13.1-0ubuntu4)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.10.3-0ubuntu6)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was deferred)
Patches:
Upstream: https://github.com/aaronlehmann/docker/commit/504e67b867865a2835e8002c01087a2cfd7bfd0e (master)
Upstream: https://github.com/NathanMcCauley/docker/commit/9098628b2901ae8585ba4c66ee6e14759d2119da (1.8.3)

Notes

AuthorNote
tyhicks
Most likely to occur when interacting with maliciously crafted docker
images
Significant refactoring of the code between Trusty and Vivid

References