Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Docker
(Docker)| Repositories | https://github.com/opencontainers/runc |
| #Vulnerabilities | 37 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2018-02-06 | CVE-2014-5282 | Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'. | Docker | 8.1 | ||
| 2019-07-18 | CVE-2019-13509 | In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret. | Docker | 7.5 | ||
| 2019-08-28 | CVE-2019-15752 | Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command. | Docker | 7.8 | ||
| 2019-09-25 | CVE-2019-16884 | runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. | Ubuntu_linux, Docker, Fedora, Runc, Leap, Enterprise_linux, Enterprise_linux_eus, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Openshift_container_platform | 7.5 | ||
| 2020-02-07 | CVE-2014-5278 | A vulnerability exists in Docker before 1.2 via container names, which may collide with and override container IDs. | Docker | 5.3 | ||
| 2020-01-02 | CVE-2014-0048 | An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways. | Geode, Docker | 9.8 | ||
| 2014-07-11 | CVE-2014-3499 | Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors. | Docker, Fedora | N/A | ||
| 2018-07-06 | CVE-2018-10892 | The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness. | Docker, Moby, Leap, Enterprise_linux, Enterprise_linux_server, Openstack | 5.3 | ||
| 2019-12-17 | CVE-2014-8178 | Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands. | Cs_engine, Docker, Opensuse | 5.5 | ||
| 2019-12-17 | CVE-2014-8179 | Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation. | Cs_engine, Docker, Opensuse | 7.5 |