CVE-2014-8178

EUVD-2014-8019
Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
Affected Products (NVD)
VendorProductVersion
dockercs_engine
𝑥
< 1.6.2-cs7
dockerdocker
𝑥
< 1.8.3
opensuseopensuse
13.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
docker.io
bookworm
20.10.24+dfsg1-1
fixed
bullseye
20.10.5+dfsg1-1+deb11u2
fixed
bullseye (security)
20.10.5+dfsg1-1+deb11u3
fixed
sid
26.1.5+dfsg1-4
fixed
trixie
26.1.5+dfsg1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
docker.io
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
not-affected
precise
dne
trusty
dne
vivid
ignored
wily
ignored
xenial
Fixed 1.10.3-0ubuntu6
released
yakkety
ignored
zesty
Fixed 1.12.6-0ubuntu4
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00014.html
http://lists.opensuse.org/opensuse-updates/2015-10/msg00036.html
https://github.com/docker/docker/blob/master/CHANGELOG.md#183-2015-10-12
https://groups.google.com/forum/#%21msg/docker-dev/bWVVtLNbFy8/UaefOqMOCAAJ
https://www.docker.com/legal/docker-cve-database
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00014.html
http://lists.opensuse.org/opensuse-updates/2015-10/msg00036.html
https://github.com/docker/docker/blob/master/CHANGELOG.md#183-2015-10-12
https://groups.google.com/forum/#%21msg/docker-dev/bWVVtLNbFy8/UaefOqMOCAAJ
https://www.docker.com/legal/docker-cve-database