Docker Docker

stack.watch can notify you when security vulnerabilities are reported in any Docker product. You can add multiple products that you use with Docker to create your own personal software stack watcher.

Products by Docker Sorted by Most Security Vulnerabilities since 2018

Docker9 vulnerabilities
Open Platform for Distributed Applications

Docker Engine2 vulnerabilities

Docker Registry1 vulnerability

Docker Credential Helpers1 vulnerability

Docker Desktop1 vulnerability

@docker Tweets

Supr useful �� and yes, devs can still use Docker to develop for K8s ;) https://t.co/64WBg5nrov
Wed Dec 02 23:40:32 +0000 2020

containerd as a core for both Docker and Kubernetes �� https://t.co/XzECrrguFj
Wed Dec 02 22:57:27 +0000 2020

Live Workshop: Getting Started with Docker Tuesday, December 15, 2020, 10:00am PT / 1:00pm ET Register at… https://t.co/rGyBEsGw0Q
Wed Dec 02 21:00:28 +0000 2020

Here's more detail about next week's first ever Docker Community All-Hands. Be sure to register and we hope to see… https://t.co/GHymO6CWsf
Wed Dec 02 20:06:29 +0000 2020

Ahoy fam! Check out the #Docker developer guide to re:Invent to get the most out of the big event… https://t.co/enlhcs20PL
Tue Dec 01 23:27:00 +0000 2020

By the Year

In 2020 there have been 3 vulnerabilities in Docker with an average score of 7.5 out of ten. Last year Docker had 8 security vulnerabilities published. Right now, Docker is on track to have less security vulerabilities in 2020 than it did last year. However, the average CVE base score of the vulnerabilities in 2020 is greater by 0.04.

Year Vulnerabilities Average Score
2020 3 7.50
2019 8 7.46
2018 2 7.05

It may take a day or so for new Docker vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Docker Security Vulnerabilities

An issue was discovered in Docker Engine before 19.03.11

CVE-2020-13401 6 - Medium - June 02, 2020

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.

CVE-2020-13401 can be explotited with network access, and requires small amount of user privledges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Improper Input Validation

Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM

CVE-2020-10665 6.7 - Medium - March 18, 2020

Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnostics with Administrator privileges, leading to arbitrary DACL permissions overwrites and arbitrary file writes. This affects Docker Desktop Enterprise before 2.1.0.9, Docker Desktop for Windows Stable before 2.2.0.4, and Docker Desktop for Windows Edge before 2.2.2.0.

CVE-2020-10665 can be explotited with local system access, and requires user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 0.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Improper Privilege Management

An issue was found in Docker before 1.6.0

CVE-2014-0048 9.8 - Critical - January 02, 2020

An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways.

CVE-2014-0048 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Improper Input Validation

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products

CVE-2019-16884 7.5 - High - September 25, 2019

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

CVE-2019-16884 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

AuthZ

In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command

CVE-2019-13139 8.4 - High - August 22, 2019

In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag.

CVE-2019-13139 can be explotited with local system access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.5 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Shell injection

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot

CVE-2019-14271 9.8 - Critical - July 29, 2019

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

CVE-2019-14271 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Improper Control of Generation of Code ('Code Injection')

docker-credential-helpers before 0.6.3 has a double free in the List functions.

CVE-2019-1020014 5.5 - Medium - July 29, 2019

docker-credential-helpers before 0.6.3 has a double free in the List functions.

CVE-2019-1020014 is exploitable with local system access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Double-free

In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10)

CVE-2019-13509 7.5 - High - July 18, 2019

In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.

CVE-2019-13509 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Information Exposure Through Log Files

In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges

CVE-2018-15664 7.5 - High - May 23, 2019

In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).

CVE-2018-15664 is exploitable with local system access, requires user interaction and a small amount of user privledges. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 0.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Race Condition

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access

CVE-2019-5736 8.6 - High - February 11, 2019

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

CVE-2019-5736 is exploitable with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Containment Errors (Container Errors)

Docker Engine before 18.09

CVE-2018-20699 4.9 - Medium - January 12, 2019

Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go.

CVE-2018-20699 can be explotited with network access, and requires user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.2 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Uncontrolled Resource Consumption ('Resource Exhaustion')

HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\

CVE-2018-15514 8.8 - High - September 01, 2018

HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\.\pipe\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the "docker-users" group (who may not otherwise have administrator access) to escalate to administrator privileges.

CVE-2018-15514 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Marshaling, Unmarshaling

The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames

CVE-2018-10892 5.3 - Medium - July 06, 2018

The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.

CVE-2018-10892 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Docker Registry before 2.6.2 in Docker Distribution does not properly restrict the amount of content accepted from a user, which

CVE-2017-11468 7.5 - High - July 20, 2017

Docker Registry before 2.6.2 in Docker Distribution does not properly restrict the amount of content accepted from a user, which allows remote attackers to cause a denial of service (memory consumption) via the manifest endpoint.

CVE-2017-11468 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Allocation of Resources Without Limits or Throttling

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8