rpm package
suse/docker-stable&distro=SUSE Linux Enterprise Module for Containers 15 SP7
pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP7
Vulnerabilities (59)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-27191 | Hig | 7.5 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Mar 18, 2022 | The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. | |
| CVE-2021-41190 | Low | 3.0 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Nov 17, 2021 | The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operat | |
| CVE-2021-41091 | Med | 6.3 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Oct 4, 2021 | Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivilege | |
| CVE-2021-41089 | Low | 2.8 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Oct 4, 2021 | Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the h | |
| CVE-2021-41092 | Med | 5.4 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Oct 4, 2021 | Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHel | |
| CVE-2021-41103 | Hig | 7.8 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Oct 4, 2021 | containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to tra | |
| CVE-2021-21285 | Med | 6.5 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Feb 2, 2021 | In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. | |
| CVE-2021-21284 | Med | 6.8 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Feb 2, 2021 | In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesy | |
| CVE-2020-15257 | Med | 5.2 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Dec 1, 2020 | containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified tha | |
| CVE-2020-12912 | Med | 5.5 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Nov 12, 2020 | A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require pr | |
| CVE-2020-8695 | Med | 5.5 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Nov 12, 2020 | Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. | |
| CVE-2020-8694 | Med | 5.5 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Nov 12, 2020 | Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | |
| CVE-2020-13401 | Med | 6.0 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Jun 2, 2020 | An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service. | |
| CVE-2014-8179 | Hig | 7.5 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Dec 17, 2019 | Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation. | |
| CVE-2014-8178 | Med | 5.5 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Dec 17, 2019 | Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands. | |
| CVE-2014-9356 | Hig | 8.6 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Dec 2, 2019 | Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile. | |
| CVE-2019-14271 | Cri | 9.8 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Jul 29, 2019 | In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container. | |
| CVE-2019-13509 | Hig | 7.5 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Jul 18, 2019 | In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non | |
| CVE-2018-15664 | Hig | 7.5 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | May 23, 2019 | In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do | |
| CVE-2018-20699 | Med | 4.9 | < 24.0.9_ce-150000.1.25.1 | 24.0.9_ce-150000.1.25.1 | Jan 12, 2019 | Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. |
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operat
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivilege
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the h
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHel
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to tra
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesy
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified tha
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require pr
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation.
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands.
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do
- affected < 24.0.9_ce-150000.1.25.1fixed 24.0.9_ce-150000.1.25.1
Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go.
Page 2 of 3