CVE-2014-8179

Published: 17 December 2019

Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
docker.io
Launchpad, Ubuntu, Debian
Upstream
Released (1.8.3)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.10.3-0ubuntu6)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [code not present])
Patches:
Upstream: https://github.com/NathanMcCauley/docker/commit/56d463690f833baf3ea5f1599715070f649e7aca (1.8.3)

Notes

AuthorNote
tyhicks
Most likely to occur when interacting with maliciously crafted docker
images
Significant refactoring of the code between Trusty and Vivid

References