Bug 1168436 (CVE-2014-5282) - CVE-2014-5282 docker: tagging image to ID can redirect images on subsequent pulls
Summary: CVE-2014-5282 docker: tagging image to ID can redirect images on subsequent p...
Alias: CVE-2014-5282
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1168437
TreeView+ depends on / blocked
Reported: 2014-11-26 22:58 UTC by Vincent Danen
Modified: 2019-09-29 13:24 UTC (History)
5 users (show)

Fixed In Version: docker 1.3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-01-19 01:55:16 UTC

Attachments (Terms of Use)

Description Vincent Danen 2014-11-26 22:58:02 UTC
From the upstream report [1]:

[CVE-2014-5282] Tagging image to ID can redirect images on subsequent pulls

Importance: Medium
Affects: Docker 1.2 and lower

It has been discovered that users of the Docker Remote API and CLI could cause one image repository, upon pull, to redirect to the content of another image. This is vulnerability affects all versions of Docker up to, but excluding version 1.3.

The primary vector for an attack is by loading of untrusted images via ‘docker load’. Images downloaded from DockerHub or private registries cannot exploit this vulnerability.

It is recommended that users upgrade to Docker engine 1.3.

Users of older releases of docker are advised not to load untrusted images via ‘docker load’. Vendors supporting older releases of Docker should assure they do not allow untrusted tenants to provide images for import with ‘docker load’, or tag images to arbitrary names equal to 64-characters containing characters within the range of [0-9a-f].

Discovered by Eric Windisch of Docker, Inc.

[1] https://groups.google.com/forum/#!msg/docker-announce/aQoVmQlcE0A/smPuBNYf8VwJ

Note You need to log in before you can comment on or make changes to this bug.