Vulnerabilities > Docker
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-12-17 | CVE-2014-8179 | Improper Input Validation vulnerability in multiple products Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation. | 7.5 |
| 2019-12-17 | CVE-2014-8178 | Improper Input Validation vulnerability in multiple products Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands. | 5.5 |
| 2019-12-02 | CVE-2014-9356 | Path Traversal vulnerability in Docker Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile. | 8.6 |
| 2019-09-25 | CVE-2019-16884 | Incorrect Authorization vulnerability in multiple products runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. | 7.5 |
| 2019-08-28 | CVE-2019-15752 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command. | 7.8 |
| 2019-08-22 | CVE-2019-13139 | OS Command Injection vulnerability in Docker In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. | 8.4 |
| 2019-07-29 | CVE-2019-14271 | Improper Initialization vulnerability in multiple products In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container. | 9.8 |
| 2019-07-29 | CVE-2019-1020014 | Double Free vulnerability in multiple products docker-credential-helpers before 0.6.3 has a double free in the List functions. | 5.5 |
| 2019-07-18 | CVE-2019-13509 | Information Exposure Through Log Files vulnerability in Docker In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. | 7.5 |
| 2019-05-23 | CVE-2018-15664 | Race Condition vulnerability in Docker In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). | 7.5 |