What is the severity of CVE-2014-5277?

CVE-2014-5277 has been classified as a moderate severity vulnerability due to the potential for man-in-the-middle attacks.

How do I fix CVE-2014-5277?

To resolve CVE-2014-5277, upgrade Docker to version 1.3.1 or higher and docker-py to version 0.5.3 or higher.

What systems are affected by CVE-2014-5277?

CVE-2014-5277 affects Docker versions prior to 1.3.1 and docker-py versions prior to 0.5.3.

What does CVE-2014-5277 exploit?

CVE-2014-5277 exploits the fallback to HTTP when HTTPS connections to the registry fail, allowing downgrade attacks.

Can I use Docker without addressing CVE-2014-5277?

While you can continue using Docker, failing to address CVE-2014-5277 increases the risk of data interception during image retrieval.

Vulnerability/
CVE-2014-5277

medium

5.3

CWE

17/11/2014

15/2/2022

22/11/2024

CVE-2014-5277

First published: Mon Nov 17 2014(Updated: )

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
go/github.com/docker/docker	<1.3.1	1.3.1
Docker	<=1.3.0
Docker	<=0.5.3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2014-5277?
CVE-2014-5277 has been classified as a moderate severity vulnerability due to the potential for man-in-the-middle attacks.
How do I fix CVE-2014-5277?
To resolve CVE-2014-5277, upgrade Docker to version 1.3.1 or higher and docker-py to version 0.5.3 or higher.
What systems are affected by CVE-2014-5277?
CVE-2014-5277 affects Docker versions prior to 1.3.1 and docker-py versions prior to 0.5.3.
What does CVE-2014-5277 exploit?
CVE-2014-5277 exploits the fallback to HTTP when HTTPS connections to the registry fail, allowing downgrade attacks.
Can I use Docker without addressing CVE-2014-5277?
While you can continue using Docker, failing to address CVE-2014-5277 increases the risk of data interception during image retrieval.

agent/type
collector/mitre-cve
source/MITRE
agent/author
agent/weakness
agent/first-publish-date
agent/description
collector/github-advisory-latest
source/GitHub
alias/GHSA-8w94-cf6g-c8mg
alias/CVE-2014-5277
agent/software-canonical-lookup
agent/severity
agent/references
agent/last-modified-date
agent/event
agent/trending
agent/softwarecombine
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/go
vendor/docker
canonical/docker
version/docker/1.3.0
version/docker/0.5.3

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.