PT-2018-4570 · Docker · Docker Notary

Publicado

2018-03-31

Atualizado

2018-05-01

CVE-2015-9259

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Docker Notary versions prior to 0.1

Description The issue arises from the checkRoot function in gotuf/client/client.go, which fails to check the expiry of root.json files. This allows an attacker to produce update files that reference an old root.json file, even if a user creates a new root.json file after a key compromise.

Recommendations For Docker Notary versions prior to 0.1, update to version 0.1 or later to resolve the issue. As a temporary workaround, consider manually verifying the expiry of root.json files to minimize the risk of exploitation.

Correção

Unrestricted File Upload

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-434

Identificadores relacionados

CVE-2015-9259

Produtos afetados

Docker Notary

PT-2018-4570 · Docker · Docker Notary

CVE-2015-9259

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 9