CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2017-14992
https://notcve.org/view.php?id=CVE-2017-14992
01 Nov 2017 — Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing. Una falta de verificación en Docker-CE (también conocido como Moby), en versiones 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0 y anteriores, permite que un atacante remoto provoque una denegación de servic... • https://blog.cloudpassage.com/2017/10/13/discovering-docker-cve-2017-14992 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0047
https://notcve.org/view.php?id=CVE-2014-0047
06 Oct 2017 — Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage. Las versiones anteriores a la 1.5 de Docker permiten que los usuarios locales provoquen un impacto sin especificar mediante vectores relacionados con el uso no seguro de /tmp. • http://www.openwall.com/lists/oss-security/2015/03/24/23 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9962 – docker: insecure opening of file-descriptor allows privilege escalation
https://notcve.org/view.php?id=CVE-2016-9962
10 Jan 2017 — RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container. RunC permitió procesos de contenedores adicionales a través de 'runc exec' para ser ptraced por el pid 1 del contenedor. Esto permite... • http://rhn.redhat.com/errata/RHSA-2017-0116.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2016-3697 – docker: privilege escalation via confusion of usernames and UIDs
https://notcve.org/view.php?id=CVE-2016-3697
13 May 2016 — libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container. libcontainer/user/user.go en runC en versiones anteriores a 0.1.0, tal como se utiliza en Docker en versiones anteriores a 1.11.2, trata indebidamente un UID numérico como un nombre de usuario potencial, lo que permite a usuarios locales obtener privilegios a través de ... • http://lists.opensuse.org/opensuse-updates/2016-05/msg00111.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2015-3627 – Docker Privilege Escalation / Information Disclosure
https://notcve.org/view.php?id=CVE-2015-3627
08 May 2015 — Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image. Libcontainer and Docker Engine anterior a 1.6.1 abre el descriptor de ficheros pasado al proceso pid-1 antes de realizar el chroot, lo que permite a usuarios locales ganar privilegios a través de una ataque de enlace simbólico en una imagen. Docker versions prior to 1.6.1 suffer from privilege escalation ... • http://lists.opensuse.org/opensuse-updates/2015-05/msg00023.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3630 – Docker Privilege Escalation / Information Disclosure
https://notcve.org/view.php?id=CVE-2015-3630
08 May 2015 — Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image. Docker Engine anterior a 1.6.1 utiliza permisos débiles para (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, y (4) /proc/fs, lo que permite a usuarios locales modificar el anfitrión, obtener información sensible y realizar... • http://lists.opensuse.org/opensuse-updates/2015-05/msg00023.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3631 – Docker Privilege Escalation / Information Disclosure
https://notcve.org/view.php?id=CVE-2015-3631
08 May 2015 — Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc. Docker Engine anterior a 1.6.1 permite a usuarios locales configurar políticas arbitrarias de Linux Security Modules (LSM) y docker_t a través de una imagen que permite los volúmenes sobrepasar los ficheros en /proc. Docker versions prior to 1.6.1 suffer from privilege escalation and information disclosure vulnerabilities. • http://lists.opensuse.org/opensuse-updates/2015-05/msg00023.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2015-1843 – docker: regression of CVE-2014-5277
https://notcve.org/view.php?id=CVE-2015-1843
02 Apr 2015 — The Red Hat docker package before 1.5.0-28, when using the --add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. NOTE: this vulnerability exists because of a CVE-2014-5277 regression. El paquete Red Hat docker anterior a 1.5.0-28, cuando utiliza la opción --add-registry,... • http://rhn.redhat.com/errata/RHSA-2015-0776.html • CWE-20: Improper Input Validation CWE-494: Download of Code Without Integrity Check •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9358 – Docker Privilege Escalation / Path Traversal / Spoofing
https://notcve.org/view.php?id=CVE-2014-9358
12 Dec 2014 — Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications." Docker anterior a 1.3.3 no valida correctamente los identificadores de imágenes, lo que permite a atacantes remotos realizar ataques de salto de ruta y falsificar repositorios a través de una imagen manipulada en (1) una operación 'carga de docker' o (2) 'comunicaciones de regist... • http://www.securityfocus.com/archive/1/534215/100/0/threaded • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2014-9357 – docker: Escalation of privileges during decompression of LZMA archives
https://notcve.org/view.php?id=CVE-2014-9357
12 Dec 2014 — Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction. Docker 1.3.2 permite a atacantes remotos ejecutar código arbitrario con privilegios root a través de (1) una imagen manipulada o (2) un build manipulado en in fichero Docker en un archivo LZMA (.xz), relacionado con el chroot para la extracción de archivos. A flaw was found in the way the Docker servic... • http://www.securityfocus.com/archive/1/534215/100/0/threaded • CWE-264: Permissions, Privileges, and Access Controls •