CVE-2014-8178

MEDIUM

Docker CS Engine < 1.6.2-cs7 - Improper Input Validation

Title source: rule

Description

Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands.

References (5)

[Patch, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00014.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-updates/2015-10/msg00036.html

[Third Party Advisory] https://github.com/docker/docker/blob/master/CHANGELOG.md#183-2015-10-12

[Mailing List] https://groups.google.com/forum/#%21msg/docker-dev/bWVVtLNbFy8/UaefOqMOCAAJ

[Vendor Advisory] https://www.docker.com/legal/docker-cve-database

Scores

CVSS v3 5.5

EPSS 0.0019

EPSS Percentile 40.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Classification

CWE

CWE-20

Status published

Affected Products (3)

docker/cs_engine < 1.6.2-cs7

docker/docker < 1.8.3

opensuse/opensuse

Timeline

Published Dec 17, 2019

Tracked Since Feb 18, 2026