CVE-2014-6408

Published Dec 12, 2014

Last updated a month ago

CVSS info 5.0

Overview

Description
Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image.
Source
cve@mitre.org
NVD status
Modified
Products
docker

Risk scores

CVSS 2.0

Type
Primary
Base score
5
Impact score
2.9
Exploitability score
10
Vector string
AV:N/AC:L/Au:N/C:N/I:P/A:N

Weaknesses

nvd@nist.gov
CWE-264

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Docker Desktop Community Edition Privilege Escalation VulnerabilityCVE-2019-15752
  2. Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.CVE-2017-14992
  3. Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage.CVE-2014-0047
  4. RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.CVE-2016-9962
  5. Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc.CVE-2015-3631

References

Sources include official advisories and independent security research.