Moderate severityNVD Advisory· Published Nov 17, 2014· Updated May 6, 2026

CVE-2014-5277

Description

Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/docker/dockerGo	< 1.3.1	1.3.1

Affected products

Docker/Docker
cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*
Range: <=1.3.0
Docker/Docker Py
cpe:2.3:a:docker:docker-py:*:*:*:*:*:*:*:*
Range: <=0.5.3

Patches

8caacb18f801

Avoid fallback to SSL protocols < TLS1.0

https://github.com/docker/dockerDaniel, Dao Quang MinhOct 16, 2014via ghsa

commit

3 files changed · +9 −1

api/server/server.go+2 −0 modified

@@ -1439,6 +1439,8 @@ func ListenAndServe(proto, addr string, job *engine.Job) error {
 		tlsConfig := &tls.Config{
 			NextProtos:   []string{"http/1.1"},
 			Certificates: []tls.Certificate{cert},
+			// Avoid fallback on insecure SSL protocols
+			MinVersion: tls.VersionTLS10,
 		}
 		if job.GetenvBool("TlsVerify") {
 			certPool := x509.NewCertPool()

docker/docker.go+2 −0 modified

@@ -93,6 +93,8 @@ func main() {
 			}
 			tlsConfig.Certificates = []tls.Certificate{cert}
 		}
+		// Avoid fallback to SSL protocols < TLS1.0
+		tlsConfig.MinVersion = tls.VersionTLS10
 	}
 
 	if *flTls || *flTlsVerify {

registry/registry.go+5 −1 modified

@@ -37,7 +37,11 @@ const (
 )
 
 func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate, timeout TimeoutType, secure bool) *http.Client {
-	tlsConfig := tls.Config{RootCAs: roots}
+	tlsConfig := tls.Config{
+		RootCAs: roots,
+		// Avoid fallback to SSL protocols < TLS1.0
+		MinVersion: tls.VersionTLS10,
+	}
 
 	if cert != nil {
 		tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-8w94-cf6g-c8mgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-5277ghsaADVISORY
lists.opensuse.org/opensuse-updates/2014-11/msg00048.htmlnvdWEB
github.com/docker/docker/commit/8caacb18f8019dfda30d79c327397e5f5783c068ghsaWEB
groups.google.com/forum/ghsaWEB
groups.google.com/forum/nvdWEB
web.nvd.nist.gov/view/vuln/detailghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000