CVE-2014-5277: Man-in-the-Middle (MitM)
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.71039%
CWE
-
Published
2/15/2022
Updated
11/22/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/docker/docker | go | < 1.3.1 | 1.3.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing TLS protocol version enforcement in three critical code paths:
- In api/server/server.go's ListenAndServe, the TLS server configuration lacked MinVersion, allowing insecure fallback
- In docker/docker.go's main function, client-side TLS setup didn't restrict protocol versions
- In registry/registry.go's newClient, registry communication TLS config permitted weak protocols All three were patched by adding MinVersion: tls.VersionTLS10 to their tls.Config declarations, directly addressing the protocol downgrade vulnerability.