cve: ./data/2016/8xxx/CVE-2016-8954.json IBM dashDB Local uses hard-coded credentials that could allow a remote attacker to gain access to the Docker container or database. analysis: {"Conatiner":"IBM dashDB Local","CVE_Reason":"硬编码的凭据、密钥等敏感信息","CVE_Consequence":"远程攻击者可以利用这些硬编码凭据访问Docker容器或数据库,可能导致数据泄露或系统被进一步入侵,严重程度较高"} cve: ./data/2019/5xxx/CVE-2019-5021.json Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the `root` user. This vulnerability appears to be the result of a regression introduced in December of 2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container which utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database, may accept a NULL password for the `root` user. analysis: {"Conatiner":"Alpine Linux Docker images","CVE_Reason":"未妥善保护的密码配置,镜像中存在root用户的空密码","CVE_Consequence":"可能导致攻击者以root身份未经授权访问容器,严重程度高"} cve: ./data/2020/11xxx/CVE-2020-11878.json The Jitsi Meet (aka docker-jitsi-meet) stack on Docker before stable-4384-1 uses default passwords (such as passw0rd) for system accounts. analysis: {"Conatiner":"docker-jitsi-meet","CVE_Reason":"默认密码","CVE_Consequence":"可能导致未经授权的访问,严重程度:高"} cve: ./data/2020/15xxx/CVE-2020-15157.json In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected. analysis: ```json {"Conatiner":"containerd","CVE_Reason":"未妥善保护的认证凭证","CVE_Consequence":"攻击者可以通过诱导用户拉取特定镜像获取容器拉取图像时使用的认证凭证,可能导致用户的注册表用户名和密码泄露,或者云实例的凭据泄露,从而获得对其他云资源的访问权限。严重程度较高。"} ``` cve: ./data/2020/29xxx/CVE-2020-29389.json The official Crux Linux Docker images 3.0 through 3.4 contain a blank password for a root user. System using the Crux Linux Docker container deployed by affected versions of the Docker image may allow an attacker to achieve root access with a blank password. analysis: {"Conatiner":"Crux Linux Docker images 3.0 through 3.4","CVE_Reason":"未设置根用户密码,空白密码被写入镜像并共享给所有用户","CVE_Consequence":"允许攻击者使用空白密码获取容器的根权限,严重程度高"} cve: ./data/2020/29xxx/CVE-2020-29564.json The official Consul Docker images 0.7.1 through 1.4.2 contain a blank password for a root user. System using the Consul Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"Consul Docker镜像","CVE_Reason":"未设置root用户的密码,存在空白密码","CVE_Consequence":"远程攻击者可利用空白密码获得root权限,严重程度高"} cve: ./data/2020/29xxx/CVE-2020-29575.json The official elixir Docker images before 1.8.0-alpine (Alpine specific) contain a blank password for a root user. Systems using the elixir Linux Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"elixir Docker images","CVE_Reason":"未设置根用户密码,存在空白密码的根账户","CVE_Consequence":"远程攻击者可利用空白密码获取根权限,严重程度高"} cve: ./data/2020/29xxx/CVE-2020-29576.json The official eggdrop Docker images before 1.8.4rc2 contain a blank password for a root user. Systems using the Eggdrop Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"eggdrop","CVE_Reason":"未设置根用户密码","CVE_Consequence":"远程攻击者可以使用空密码获得root权限,严重程度高"} cve: ./data/2020/29xxx/CVE-2020-29577.json The official znc docker images before 1.7.1-slim contain a blank password for a root user. Systems using the znc docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"znc","CVE_Reason":"未设置密码的root用户","CVE_Consequence":"远程攻击者可以使用空白密码获得root权限,严重程度高"} cve: ./data/2020/29xxx/CVE-2020-29578.json The official piwik Docker images before fpm-alpine (Alpine specific) contain a blank password for a root user. Systems using the Piwik Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access. analysis: {"Conatiner":"piwik Docker images","CVE_Reason":"未设置密码的root用户账户","CVE_Consequence":"远程攻击者可利用此漏洞获得容器的root权限,严重程度高"} cve: ./data/2020/29xxx/CVE-2020-29579.json The official Express Gateway Docker images before 1.14.0 contain a blank password for a root user. Systems using the Express Gateway Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access. analysis: {"Conatiner":"Express Gateway Docker","CVE_Reason":"未设置密码的root用户凭据","CVE_Consequence":"远程攻击者可利用此漏洞获得容器的root访问权限,严重程度高"} cve: ./data/2020/29xxx/CVE-2020-29580.json The official storm Docker images before 1.2.1 contain a blank password for a root user. Systems using the Storm Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"storm Docker images","CVE_Reason":"未设置根用户密码","CVE_Consequence":"远程攻击者可利用空白密码获得根用户访问权限,严重程度:高"} cve: ./data/2020/29xxx/CVE-2020-29581.json The official spiped docker images before 1.5-alpine contain a blank password for a root user. Systems using the spiped docker container deployed by affected versions of the docker image may allow an remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"spiped","CVE_Reason":"未设置根用户密码,空白密码被写入镜像并共享给所有用户","CVE_Consequence":"远程攻击者可利用空白密码获得root权限,严重程度高"} cve: ./data/2020/29xxx/CVE-2020-29591.json Versions of the Official registry Docker images through 2.7.0 contain a blank password for the root user. Systems deployed using affected versions of the registry container may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"registry Docker镜像","CVE_Reason":"未设置root用户的密码","CVE_Consequence":"远程攻击者可以使用空白密码获得root权限,严重程度高"} cve: ./data/2020/29xxx/CVE-2020-29601.json The official notary docker images before signer-0.6.1-1 contain a blank password for a root user. System using the notary docker container deployed by affected versions of the docker image may allow an remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"notary docker images","CVE_Reason":"未设置根用户密码,空白密码被写入镜像并共享给所有用户","CVE_Consequence":"远程攻击者可以利用空白密码获得容器的根用户访问权限,严重程度高"} cve: ./data/2020/29xxx/CVE-2020-29602.json The official irssi docker images before 1.1-alpine (Alpine specific) contain a blank password for a root user. System using the irssi docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password. analysis: ```json {"Conatiner":"irssi","CVE_Reason":"未设置根用户密码,导致密码为空","CVE_Consequence":"远程攻击者可利用空白密码获得容器的根用户访问权限,严重程度:高"} ``` cve: ./data/2020/35xxx/CVE-2020-35184.json The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"Composer Docker镜像","CVE_Reason":"未设置根用户密码,存在空白密码的根账户","CVE_Consequence":"远程攻击者可以利用空白密码获取容器的root权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35185.json The official ghost docker images before 2.16.1-alpine (Alpine specific) contain a blank password for a root user. System using the ghost docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"ghost docker images","CVE_Reason":"未设置根用户密码,存在空白密码问题","CVE_Consequence":"允许远程攻击者使用空白密码获得root权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35186.json The official adminer docker images before 4.7.0-fastcgi contain a blank password for a root user. System using the adminer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"Adminer Docker镜像","CVE_Reason":"未设置root用户密码,空白密码被写入镜像并供所有用户使用","CVE_Consequence":"远程攻击者可利用空白密码获取root权限,严重程度:高"} cve: ./data/2020/35xxx/CVE-2020-35187.json The official telegraf docker images before 1.9.4-alpine (Alpine specific) contain a blank password for a root user. System using the telegraf docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"telegraf","CVE_Reason":"未设置密码的root用户","CVE_Consequence":"允许远程攻击者以空白密码获取root权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35189.json The official kong docker images before 1.0.2-alpine (Alpine specific) contain a blank password for a root user. System using the kong docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"kong docker images","CVE_Reason":"未设置根用户密码,空白密码被写入镜像并共享给所有用户","CVE_Consequence":"远程攻击者可以利用空白密码获取容器的根用户权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35190.json The official plone Docker images before version of 4.3.18-alpine (Alpine specific) contain a blank password for a root user. System using the plone docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"plone Docker镜像","CVE_Reason":"未设置root用户的密码,存在空白密码","CVE_Consequence":"远程攻击者可以利用空白密码获得容器的root权限,严重程度:高"} cve: ./data/2020/35xxx/CVE-2020-35191.json The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"drupal docker images","CVE_Reason":"未设置根用户密码,导致密码为空","CVE_Consequence":"允许远程攻击者使用空白密码获得根用户访问权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35192.json The official vault docker images before 0.11.6 contain a blank password for a root user. System using the vault docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"vault","CVE_Reason":"未设置根用户密码的文件或配置","CVE_Consequence":"远程攻击者可以使用空密码获得root权限,严重程度:高"} cve: ./data/2020/35xxx/CVE-2020-35193.json The official sonarqube docker images before alpine (Alpine specific) contain a blank password for a root user. System using the sonarqube docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"sonarqube","CVE_Reason":"未设置根用户密码,空白密码被写入镜像并被所有用户共用","CVE_Consequence":"远程攻击者可利用空白密码获取容器的root权限,严重程度:高"} cve: ./data/2020/35xxx/CVE-2020-35195.json The official haproxy docker images before 1.8.18-alpine (Alpine specific) contain a blank password for a root user. System using the haproxy docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"haproxy","CVE_Reason":"未设置根用户密码,导致密码为空","CVE_Consequence":"远程攻击者可以利用此漏洞通过空密码获得容器的root权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35196.json The official rabbitmq docker images before 3.7.13-beta.1-management-alpine (Alpine specific) contain a blank password for a root user. System using the rabbitmq docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"rabbitmq","CVE_Reason":"未设置密码的root用户凭据","CVE_Consequence":"允许远程攻击者使用空白密码获取root权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35197.json The official memcached docker images before 1.5.11-alpine (Alpine specific) contain a blank password for a root user. System using the memcached docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"memcached","CVE_Reason":"未设置根用户密码的文件或配置信息","CVE_Consequence":"远程攻击者可以使用空白密码获取root权限,严重程度:高"} cve: ./data/2020/35xxx/CVE-2020-35462.json Version 3.16.0 of the CoScale agent Docker image contains a blank password for the root user. Systems deployed using affected versions of the CoScale agent container may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"CoScale agent Docker image","CVE_Reason":"未设置根用户密码","CVE_Consequence":"远程攻击者可利用此漏洞以空白密码获得根用户访问权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35463.json Version 1.0.0 of the Instana Dynamic APM Docker image contains a blank password for the root user. Systems deployed using affected versions of the Instana Dynamic APM container may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"Instana Dynamic APM Docker镜像","CVE_Reason":"未设置的空白root用户密码","CVE_Consequence":"允许远程攻击者以空白密码获取root权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35464.json Version 1.3.0 of the Weave Cloud Agent Docker image contains a blank password for the root user. Systems deployed using affected versions of the Weave Cloud Agent container may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"Weave Cloud Agent Docker image","CVE_Reason":"容器镜像中存在空白的root用户密码","CVE_Consequence":"远程攻击者可利用此漏洞以空白密码获取root权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35466.json The Blackfire Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Blackfire container may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"Blackfire Docker镜像","CVE_Reason":"未设置root用户的密码","CVE_Consequence":"允许远程攻击者使用空密码获取root权限,严重程度:高"} cve: ./data/2020/35xxx/CVE-2020-35467.json The Docker Docs Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Docker Docs container may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"Docker Docs Docker image","CVE_Reason":"未设置root用户的密码,空白密码被写入镜像并共享给所有用户","CVE_Consequence":"远程攻击者可以利用空白密码获得root权限,严重程度:高"} cve: ./data/2020/35xxx/CVE-2020-35468.json The Appbase streams Docker image 2.1.2 contains a blank password for the root user. Systems deployed using affected versions of the streams container may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"Appbase streams Docker image 2.1.2","CVE_Reason":"未设置root用户的密码,空白密码被写入镜像并被所有用户共用","CVE_Consequence":"远程攻击者可以利用空白密码获取root权限,严重程度高"} cve: ./data/2020/35xxx/CVE-2020-35469.json The Software AG Terracotta Server OSS Docker image 5.4.1 contains a blank password for the root user. Systems deployed using affected versions of the Terracotta Server OSS container may allow a remote attacker to achieve root access with a blank password. analysis: {"Conatiner":"Software AG Terracotta Server OSS Docker image 5.4.1","CVE_Reason":"未设置的空白root用户密码","CVE_Consequence":"远程攻击者可利用空白密码获取root权限,严重程度:高"}