{"containers": {"cna": {"affected": [{"product": "Docker Engine", "vendor": "Docker", "versions": [{"status": "affected", "version": "before 1.8.3"}]}, {"product": "CS Docker Engine", "vendor": "Docker", "versions": [{"status": "affected", "version": "before 1.6.2-CS7"}]}], "datePublic": "2015-10-12T00:00:00", "descriptions": [{"lang": "en", "value": "Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-04T15:10:35", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00036.html"}, {"tags": ["x_refsource_MISC"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00014.html"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21msg/docker-dev/bWVVtLNbFy8/UaefOqMOCAAJ"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/docker/docker/blob/master/CHANGELOG.md#183-2015-10-12"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.docker.com/legal/docker-cve-database"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:10:51.252Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00036.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00014.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21msg/docker-dev/bWVVtLNbFy8/UaefOqMOCAAJ"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/docker/docker/blob/master/CHANGELOG.md#183-2015-10-12"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.docker.com/legal/docker-cve-database"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-8179", "datePublished": "2019-12-04T15:10:35", "dateReserved": "2014-10-10T00:00:00", "dateUpdated": "2024-08-06T13:10:51.252Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:docker:cs_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA627FD7-3005-4B2D-9589-63DCA3160884", "versionEndExcluding": "1.6.2-cs7", "vulnerable": true}, {"criteria": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*", "matchCriteriaId": "3BBB3326-A3DE-4EC3-A451-4C23E08AE9FC", "versionEndExcluding": "1.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation."}, {"lang": "es", "value": "Docker Engine versiones anteriores a la versi\u00f3n 1.8.3 y CS Docker Engine versiones anteriores a la versi\u00f3n 1.6.2-CS7 no comprueba y extrae apropiadamente el objeto manifiesto desde su representaci\u00f3n JSON durante una extracci\u00f3n, lo que permite a atacantes inyectar nuevos atributos en un objeto JSON y omitir la comprobaci\u00f3n pull-by-digest."}], "id": "CVE-2014-8179", "lastModified": "2023-02-13T00:45:09.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-17T18:15:13.497", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00014.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00036.html"}, {"source": "secalert@redhat.com", "tags": ["Not Applicable", "Vendor Advisory"], "url": "https://blog.docker.com/2015/10/security-release-docker-1-8-3-1-6-2-cs7/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/docker/docker/blob/master/CHANGELOG.md#183-2015-10-12"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/forum/#%21msg/docker-dev/bWVVtLNbFy8/UaefOqMOCAAJ"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://www.docker.com/legal/docker-cve-database"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "docker: Manifest validation and parsing logic errors allow pull-by-digest validation bypass", "id": "1271256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1271256"}, "csaw": false, "cvss": {"cvss_base_score": "1.2", "cvss_scoring_vector": "AV:L/AC:H/Au:N/C:N/I:P/A:N", "status": "draft"}, "details": ["Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation."], "name": "CVE-2014-8179", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "docker", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2015-10-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-8179\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-8179"], "statement": "This issue is exploitable by malicious Docker images. Red Hat supports images from it's own registry, ISV images certified by the Red Hat certification program, and images using qualified customer content.", "threat_severity": "Low"}