Directory Traversal in Docker · CVE-2014-9358 · GitHub Advisory Database · GitHub

Directory Traversal in Docker

Moderate severity GitHub Reviewed Published Feb 15, 2022 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

github.com/docker/docker (Go)

Affected versions

< 1.3.2

Patched versions

1.3.2

Description

Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."

References

Reviewed May 20, 2021

Published to the GitHub Advisory Database Feb 15, 2022

Last updated Jan 9, 2023

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N