The Red Hat docker package before 1.5.0-28, when using the --add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. NOTE: this vulnerability exists because of a CVE-2014-5277 regression.
CVSS v2.0 Score
4.3
/ 10.0
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Information
- Published
- 6 avr. 2015
- Updated
- 12 avr. 2025
- Status
- Deferred
- Source
- secalert@redhat.com
Affected products
redhat dockerAll Docker CVEs →
Versions : 1.5.0-27
Weaknesses (CWE)
CWE-20
References (6)
- http://rhn.redhat.com/errata/RHSA-2015-0776.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2015-0776.htmlVendor Advisory
Similar CVEs
Other vulnerabilities of type CWE-20
Loading…
Monitor your products
Get automatic alerts for every new CVE affecting your equipment.