CVE-2017-14992: Input Validation
First published: Wed Nov 01 2017(Updated: )
Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Docker Docker | <=1.10.3 | |
| Docker Docker | =1.12.6-0 | |
| Docker Docker | =17.03.0 | |
| Docker Docker | =17.03.1 | |
| Docker Docker | =17.03.2 | |
| Docker Docker | =17.06.0 | |
| Docker Docker | =17.06.1 | |
| Docker Docker | =17.06.2 | |
| Docker Docker | =17.09.0 | |
| <=1.10.3 | ||
| =1.12.6-0 | ||
| =17.03.0 | ||
| =17.03.1 | ||
| =17.03.2 | ||
| =17.06.0 | ||
| =17.06.1 | ||
| =17.06.2 | ||
| =17.09.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-14992?
The severity of CVE-2017-14992 is medium with a severity value of 6.5.
How does CVE-2017-14992 impact Docker-CE (Moby)?
CVE-2017-14992 allows a remote attacker to cause a Denial of Service via a crafted image layer payload, also known as gzip bombing.
Which versions of Docker-CE (Moby) are affected by CVE-2017-14992?
Docker-CE (Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, and 17.09.0, and earlier are affected by CVE-2017-14992.
What is the Common Weakness Enumeration (CWE) ID for CVE-2017-14992?
The CWE ID for CVE-2017-14992 is CWE-20.
Are there any references related to CVE-2017-14992?
Yes, you can find more information about CVE-2017-14992 at the following links: [Reference 1](https://blog.cloudpassage.com/2017/10/13/discovering-docker-cve-2017-14992/) and [Reference 2](https://github.com/moby/moby/issues/35075).
- collector/nvd-index
- agent/references
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/author
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- vendor/docker
- canonical/docker docker
- version/docker docker/1.10.3
- version/docker docker/1.12.6-0
- version/docker docker/17.03.0
- version/docker docker/17.03.1
- version/docker docker/17.03.2
- version/docker docker/17.06.0
- version/docker docker/17.06.1
- version/docker docker/17.06.2
- version/docker docker/17.09.0