PT-2018-4570 · Docker · Docker Notary

Published

2018-03-31

Updated

2018-05-01

CVE-2015-9259

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Docker Notary versions prior to 0.1

Description The issue arises from the checkRoot function in gotuf/client/client.go, which fails to check the expiry of root.json files. This allows an attacker to produce update files that reference an old root.json file, even if a user creates a new root.json file after a key compromise.

Recommendations For Docker Notary versions prior to 0.1, update to version 0.1 or later to resolve the issue. As a temporary workaround, consider manually verifying the expiry of root.json files to minimize the risk of exploitation.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2015-9259

Affected Products

Docker Notary

PT-2018-4570 · Docker · Docker Notary

CVE-2015-9259

Weakness Enumeration

Related Identifiers

Affected Products

References · 9