Moderate severityNVD Advisory· Published Dec 12, 2014· Updated May 6, 2026
CVE-2014-6408
CVE-2014-6408
Description
Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/docker/dockerGo | >= 1.3.0, < 1.3.2 | 1.3.2 |
Affected products
2Patches
1c9379eb3fbbcMove security opts to HostConfig
6 files changed · +12 −10
daemon/daemon.go+5 −6 modified@@ -528,10 +528,10 @@ func (daemon *Daemon) getEntrypointAndArgs(configEntrypoint, configCmd []string) return entrypoint, args } -func parseSecurityOpt(container *Container, config *runconfig.Config) error { +func parseSecurityOpt(container *Container, config *runconfig.HostConfig) error { var ( - label_opts []string - err error + labelOpts []string + err error ) for _, opt := range config.SecurityOpt { @@ -541,15 +541,15 @@ func parseSecurityOpt(container *Container, config *runconfig.Config) error { } switch con[0] { case "label": - label_opts = append(label_opts, con[1]) + labelOpts = append(labelOpts, con[1]) case "apparmor": container.AppArmorProfile = con[1] default: return fmt.Errorf("Invalid --security-opt: %q", opt) } } - container.ProcessLabel, container.MountLabel, err = label.InitLabels(label_opts) + container.ProcessLabel, container.MountLabel, err = label.InitLabels(labelOpts) return err } @@ -583,7 +583,6 @@ func (daemon *Daemon) newContainer(name string, config *runconfig.Config, img *i execCommands: newExecStore(), } container.root = daemon.containerRoot(container.ID) - err = parseSecurityOpt(container, config) return container, err }
daemon/daemon_unit_test.go+1 −1 modified@@ -8,7 +8,7 @@ import ( func TestParseSecurityOpt(t *testing.T) { container := &Container{} - config := &runconfig.Config{} + config := &runconfig.HostConfig{} // test apparmor config.SecurityOpt = []string{"apparmor:test_profile"}
daemon/start.go+3 −0 modified@@ -44,6 +44,9 @@ func (daemon *Daemon) ContainerStart(job *engine.Job) engine.Status { } func (daemon *Daemon) setHostConfig(container *Container, hostConfig *runconfig.HostConfig) error { + if err := parseSecurityOpt(container, hostConfig); err != nil { + return err + } // Validate the HostConfig binds. Make sure that: // the source exists for _, bind := range hostConfig.Binds {
runconfig/config.go+0 −2 modified@@ -32,7 +32,6 @@ type Config struct { Entrypoint []string NetworkDisabled bool OnBuild []string - SecurityOpt []string } func ContainerConfigFromJob(job *engine.Job) *Config { @@ -56,7 +55,6 @@ func ContainerConfigFromJob(job *engine.Job) *Config { } job.GetenvJson("ExposedPorts", &config.ExposedPorts) job.GetenvJson("Volumes", &config.Volumes) - config.SecurityOpt = job.GetenvList("SecurityOpt") if PortSpecs := job.GetenvList("PortSpecs"); PortSpecs != nil { config.PortSpecs = PortSpecs }
runconfig/hostconfig.go+2 −0 modified@@ -56,6 +56,7 @@ type HostConfig struct { CapAdd []string CapDrop []string RestartPolicy RestartPolicy + SecurityOpt []string } // This is used by the create command when you want to set both the @@ -90,6 +91,7 @@ func ContainerHostConfigFromJob(job *engine.Job) *HostConfig { job.GetenvJson("PortBindings", &hostConfig.PortBindings) job.GetenvJson("Devices", &hostConfig.Devices) job.GetenvJson("RestartPolicy", &hostConfig.RestartPolicy) + hostConfig.SecurityOpt = job.GetenvList("SecurityOpt") if Binds := job.GetenvList("Binds"); Binds != nil { hostConfig.Binds = Binds }
runconfig/parse.go+1 −1 modified@@ -256,7 +256,6 @@ func Parse(cmd *flag.FlagSet, args []string, sysInfo *sysinfo.SysInfo) (*Config, Volumes: flVolumes.GetMap(), Entrypoint: entrypoint, WorkingDir: *flWorkingDir, - SecurityOpt: flSecurityOpt.GetAll(), } hostConfig := &HostConfig{ @@ -276,6 +275,7 @@ func Parse(cmd *flag.FlagSet, args []string, sysInfo *sysinfo.SysInfo) (*Config, CapAdd: flCapAdd.GetAll(), CapDrop: flCapDrop.GetAll(), RestartPolicy: restartPolicy, + SecurityOpt: flSecurityOpt.GetAll(), } if sysInfo != nil && flMemory > 0 && !sysInfo.SwapLimit {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- docs.docker.com/v1.3/release-notes/nvdVendor Advisory
- github.com/advisories/GHSA-44gg-pmqr-4669ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-6408ghsaADVISORY
- docs.docker.com/v1.3/release-notesghsaWEB
- github.com/docker/docker/commit/c9379eb3fbbc484c056f5a5e49d8d0b755a29c45ghsaWEB
- lists.fedoraproject.org/pipermail/package-announce/2014-December/145154.htmlghsaWEB
- lists.opensuse.org/opensuse-security-announce/2014-12/msg00009.htmlghsaWEB
- secunia.com/advisories/60171ghsaWEB
- secunia.com/advisories/60241ghsaWEB
- web.nvd.nist.gov/view/vuln/detailghsaWEB
- www.openwall.com/lists/oss-security/2014/11/24/5ghsaWEB
- lists.fedoraproject.org/pipermail/package-announce/2014-December/145154.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2014-12/msg00009.htmlnvd
- secunia.com/advisories/60171nvd
- secunia.com/advisories/60241nvd
- www.openwall.com/lists/oss-security/2014/11/24/5nvd
News mentions
0No linked articles in our index yet.