Miggo Logo

CVE-2014-5277: Man-in-the-Middle (MitM)

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.71039%
CWE
-
Published
2/15/2022
Updated
11/22/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/docker/dockergo< 1.3.11.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing TLS protocol version enforcement in three critical code paths:

  1. In api/server/server.go's ListenAndServe, the TLS server configuration lacked MinVersion, allowing insecure fallback
  2. In docker/docker.go's main function, client-side TLS setup didn't restrict protocol versions
  3. In registry/registry.go's newClient, registry communication TLS config permitted weak protocols All three were patched by adding MinVersion: tls.VersionTLS10 to their tls.Config declarations, directly addressing the protocol downgrade vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o*k*r ***or* *.*.* *n* *o*k*r-py ***or* *.*.* **ll ***k to *TTP w**n t** *TTPS *onn**tion to t** r**istry **ils, w*i** *llows m*n-in-t**-mi**l* *tt**k*rs to *on*u*t *own*r*** *tt**ks *n* o*t*in *ut**nti**tion *n* im*** **t* *y l*v*r**in* * n*twork p

Reasoning

T** vuln*r**ility st*mm** *rom missin* TLS proto*ol v*rsion *n*or**m*nt in t*r** *riti**l *o** p*t*s: *. In *pi/s*rv*r/s*rv*r.*o's List*n*n*S*rv*, t** TLS s*rv*r *on*i*ur*tion l**k** MinV*rsion, *llowin* ins**ur* **ll***k *. In *o*k*r/*o*k*r.*o's m*i