Bug 1164849 (CVE-2014-5277) - CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry fail
Summary: CVE-2014-5277 docker: fallback to HTTP when HTTPS connections to the registry...
Alias: CVE-2014-5277
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1164850 1164851
Blocks: 1063551
TreeView+ depends on / blocked
Reported: 2014-11-17 17:23 UTC by Vincent Danen
Modified: 2021-10-20 10:47 UTC (History)
3 users (show)

Fixed In Version: docker 1.3.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2021-10-20 10:47:12 UTC

Attachments (Terms of Use)

Description Vincent Danen 2014-11-17 17:23:37 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-5277 to
the following vulnerability:

Name: CVE-2014-5277
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5277
Assigned: 20140816
Reference: https://groups.google.com/forum/#!topic/docker-user/oYm0i3xShJU
Reference: http://lists.opensuse.org/opensuse-updates/2014-11/msg00048.html

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when
the HTTPS connection to the registry fails, which allows
man-in-the-middle attackers to conduct downgrade attacks and obtain
authentication and image data by leveraging a network position between
the client and the registry to block HTTPS traffic.

Comment 1 Vincent Danen 2014-11-17 17:24:20 UTC
Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1164850]
Affects: epel-6 [bug 1164851]

Note You need to log in before you can comment on or make changes to this bug.