All the vulnerabilites related to moby - moby
cve-2024-29018
Vulnerability from cvelistv5
Published
2024-03-20 20:27
Modified
2024-08-13 17:00
Severity ?
EPSS score ?
Summary
External DNS requests from 'internal' networks could lead to data exfiltration
References
▼ | URL | Tags |
---|---|---|
https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx | x_refsource_CONFIRM | |
https://github.com/moby/moby/pull/46609 | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T01:03:51.630Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx" }, { "name": "https://github.com/moby/moby/pull/46609", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/pull/46609" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "mobyproject", "versions": [ { "lessThan": "23.0.11", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "25.0.5", "status": "affected", "version": "25.0.0", "versionType": "custom" }, { "lessThan": "26.0.0-rc3", "status": "affected", "version": "26.0.0-rc1", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-29018", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-03-28T19:09:14.709513Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-13T17:00:25.512Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003e= 26.0.0-rc1, \u003c 26.0.0-rc3" }, { "status": "affected", "version": "\u003e= 25.0.0, \u003c 25.0.5" }, { "status": "affected", "version": "\u003c 23.0.11" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby\u0027s networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\n\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\n\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\n\nIn addition to configuring the Linux kernel\u0027s various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\n\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container\u0027s network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\n\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\n\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host\u0027s configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\n\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace\u0027s normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\n\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\n\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container\u0027s network namespace." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-669", "description": "CWE-669: Incorrect Resource Transfer Between Spheres", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-20T20:27:00.491Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx" }, { "name": "https://github.com/moby/moby/pull/46609", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/pull/46609" } ], "source": { "advisory": "GHSA-mq39-4gv4-mvpx", "discovery": "UNKNOWN" }, "title": "External DNS requests from \u0027internal\u0027 networks could lead to data exfiltration" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-29018", "datePublished": "2024-03-20T20:27:00.491Z", "dateReserved": "2024-03-14T16:59:47.610Z", "dateUpdated": "2024-08-13T17:00:25.512Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-28841
Vulnerability from cvelistv5
Published
2023-04-04 21:12
Modified
2024-08-02 13:51
Severity ?
EPSS score ?
Summary
moby/moby's dockerd daemon encrypted overlay network traffic may be unencrypted
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T13:51:38.268Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237" }, { "name": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw" }, { "name": "https://github.com/moby/moby/issues/43382", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/issues/43382" }, { "name": "https://github.com/moby/moby/pull/45118", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/pull/45118" }, { "name": "https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003e= 1.12.0, \u003c 20.10.24" }, { "status": "affected", "version": "\u003e= 23.0.0, \u003c 23.0.3" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.\n\nSwarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.\n\nThe `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.\n\nEncrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.\n\nWhen setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet\u0027s VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.\n\nAn iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation.\n\nEncrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees.\n\nIt is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed.\n\nPatches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime\u0027s 20.10 releases are numbered differently, users of that platform should update to 20.10.16.\n\nSome workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-311", "description": "CWE-311: Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-636", "description": "CWE-636: Not Failing Securely (\u0027Failing Open\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-04-04T21:12:17.406Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237" }, { "name": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw" }, { "name": "https://github.com/moby/moby/issues/43382", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/issues/43382" }, { "name": "https://github.com/moby/moby/pull/45118", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/pull/45118" }, { "name": "https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ], "source": { "advisory": "GHSA-33pg-m6jh-5237", "discovery": "UNKNOWN" }, "title": "moby/moby\u0027s dockerd daemon encrypted overlay network traffic may be unencrypted" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-28841", "datePublished": "2023-04-04T21:12:17.406Z", "dateReserved": "2023-03-24T16:25:34.466Z", "dateUpdated": "2024-08-02T13:51:38.268Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-32473
Vulnerability from cvelistv5
Published
2024-04-18 21:55
Modified
2024-08-21 14:21
Severity ?
EPSS score ?
Summary
Moby IPv6 enabled on IPv4-only network interfaces
References
▼ | URL | Tags |
---|---|---|
https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9 | x_refsource_CONFIRM | |
https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T02:13:39.266Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9" }, { "name": "https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-32473", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-21T13:58:32.109708Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-21T14:21:22.127Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003e= 26.0.0, \u003c 26.0.2" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the service configuration of a `compose` file." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-668", "description": "CWE-668: Exposure of Resource to Wrong Sphere", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-04-18T21:55:50.445Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9" }, { "name": "https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642" } ], "source": { "advisory": "GHSA-x84c-p2g9-rqv9", "discovery": "UNKNOWN" }, "title": "Moby IPv6 enabled on IPv4-only network interfaces" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-32473", "datePublished": "2024-04-18T21:55:50.445Z", "dateReserved": "2024-04-12T19:41:51.167Z", "dateUpdated": "2024-08-21T14:21:22.127Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-41110
Vulnerability from cvelistv5
Published
2024-07-24 16:49
Modified
2024-10-13 21:03
Severity ?
EPSS score ?
Summary
Moby authz zero length regression
References
Impacted products
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:docker:moby:19.0.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "lessThanOrEqual": "19.03.15", "status": "affected", "version": "19.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:docker:moby:20.0.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "lessThanOrEqual": "20.10.27", "status": "affected", "version": "20.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:docker:moby:23.0.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "lessThanOrEqual": "23.0.14", "status": "affected", "version": "23.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:docker:moby:24.0.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "lessThanOrEqual": "24.0.9", "status": "affected", "version": "24.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:docker:moby:25.0.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "lessThanOrEqual": "25.0.5", "status": "affected", "version": "25.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:docker:moby:26.1.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "lessThanOrEqual": "26.0.2", "status": "affected", "version": "26.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:docker:moby:27.0.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "lessThanOrEqual": "26.1.14", "status": "affected", "version": "26.1.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:docker:moby:27.1.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "status": "affected", "version": "27.1.0" } ] }, { "cpes": [ "cpe:2.3:a:docker:moby:26.0.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "lessThanOrEqual": "26.0.2", "status": "affected", "version": "26.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:docker:moby:26.1.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "lessThanOrEqual": "26.1.14", "status": "affected", "version": "26.1.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:docker:moby:27.0.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "moby", "vendor": "docker", "versions": [ { "lessThanOrEqual": "27.0.3", "status": "affected", "version": "27.0.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-41110", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-07-26T03:55:30.375492Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-29T21:01:46.898Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-10-13T21:03:34.392Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq" }, { "name": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191" }, { "name": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76" }, { "name": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919" }, { "name": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b" }, { "name": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0" }, { "name": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1" }, { "name": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00" }, { "name": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f" }, { "name": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801" }, { "name": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb" }, { "name": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin" }, { "url": "https://security.netapp.com/advisory/ntap-20240802-0001/" }, { "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003e= 19.03.0, \u003c= 19.03.15" }, { "status": "affected", "version": "\u003e= 20.0.0, \u003c= 20.10.27" }, { "status": "affected", "version": "\u003e= 23.0.0, \u003c= 23.0.14" }, { "status": "affected", "version": "\u003e= 24.0.0, \u003c= 24.0.9" }, { "status": "affected", "version": "\u003e= 25.0.0, \u003c= 25.0.5" }, { "status": "affected", "version": "\u003e= 26.0.0, \u003c= 26.0.2" }, { "status": "affected", "version": "\u003e= 26.1.0, \u003c= 26.1.14" }, { "status": "affected", "version": "\u003e= 27.0.0, \u003c= 27.0.3" }, { "status": "affected", "version": "= 27.1.0" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.\n\nUsing a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.\n\nA security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.\n\nDocker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.\n\ndocker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-187", "description": "CWE-187: Partial String Comparison", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-07-30T19:09:22.764Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq" }, { "name": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191" }, { "name": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76" }, { "name": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919" }, { "name": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b" }, { "name": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0" }, { "name": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1" }, { "name": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00" }, { "name": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f" }, { "name": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801" }, { "name": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb" }, { "name": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin", "tags": [ "x_refsource_MISC" ], "url": "https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin" } ], "source": { "advisory": "GHSA-v23v-6jw2-98fq", "discovery": "UNKNOWN" }, "title": "Moby authz zero length regression" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-41110", "datePublished": "2024-07-24T16:49:53.068Z", "dateReserved": "2024-07-15T15:53:28.321Z", "dateUpdated": "2024-10-13T21:03:34.392Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-36109
Vulnerability from cvelistv5
Published
2022-09-09 17:20
Modified
2024-08-03 09:52
Severity ?
EPSS score ?
Summary
Moby vulnerability relating to supplementary group permissions
References
▼ | URL | Tags |
---|---|---|
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4 | x_refsource_CONFIRM | |
https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32 | x_refsource_MISC | |
https://github.com/moby/moby/releases/tag/v20.10.18 | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/ | vendor-advisory, x_refsource_FEDORA |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T09:52:00.643Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/releases/tag/v20.10.18" }, { "name": "FEDORA-2022-b027a13a39", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/" }, { "name": "FEDORA-2022-8298607490", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003c 20.10.18" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `\"USER $USERNAME\"` Dockerfile instruction. Instead by calling `ENTRYPOINT [\"su\", \"-\", \"user\"]` the supplementary groups will be set up properly." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-09-16T01:06:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/releases/tag/v20.10.18" }, { "name": "FEDORA-2022-b027a13a39", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/" }, { "name": "FEDORA-2022-8298607490", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/" } ], "source": { "advisory": "GHSA-rc4r-wh2q-q6c4", "discovery": "UNKNOWN" }, "title": "Moby vulnerability relating to supplementary group permissions", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36109", "STATE": "PUBLIC", "TITLE": "Moby vulnerability relating to supplementary group permissions" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "moby", "version": { "version_data": [ { "version_value": "\u003c 20.10.18" } ] } } ] }, "vendor_name": "moby" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `\"USER $USERNAME\"` Dockerfile instruction. Instead by calling `ENTRYPOINT [\"su\", \"-\", \"user\"]` the supplementary groups will be set up properly." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-863: Incorrect Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", "refsource": "CONFIRM", "url": "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4" }, { "name": "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32", "refsource": "MISC", "url": "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32" }, { "name": "https://github.com/moby/moby/releases/tag/v20.10.18", "refsource": "MISC", "url": "https://github.com/moby/moby/releases/tag/v20.10.18" }, { "name": "FEDORA-2022-b027a13a39", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/" }, { "name": "FEDORA-2022-8298607490", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/" } ] }, "source": { "advisory": "GHSA-rc4r-wh2q-q6c4", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36109", "datePublished": "2022-09-09T17:20:11", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:52:00.643Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-24769
Vulnerability from cvelistv5
Published
2022-03-24 00:00
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Default inheritable capabilities for linux container should be empty
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:20:49.949Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq" }, { "tags": [ "x_transferred" ], "url": "https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f" }, { "tags": [ "x_transferred" ], "url": "https://github.com/moby/moby/releases/tag/v20.10.14" }, { "name": "FEDORA-2022-e9a09c1a7d", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/" }, { "name": "FEDORA-2022-ed53f2439a", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/" }, { "name": "FEDORA-2022-c07546070d", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/" }, { "name": "FEDORA-2022-cac2323802", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/" }, { "name": "FEDORA-2022-eda0049dd7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/" }, { "name": "FEDORA-2022-3826c8f549", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/" }, { "name": "[oss-security] 20220512 CVE-2022-29162: runc \u003c 1.1.2 incorrect handling of inheritable capabilities in default configuration", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/12/1" }, { "name": "DSA-5162", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5162" }, { "name": "GLSA-202401-31", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202401-31" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003c 20.10.14" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container\u0027s bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container\u0027s bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-31T13:06:22.056004", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq" }, { "url": "https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f" }, { "url": "https://github.com/moby/moby/releases/tag/v20.10.14" }, { "name": "FEDORA-2022-e9a09c1a7d", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/" }, { "name": "FEDORA-2022-ed53f2439a", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/" }, { "name": "FEDORA-2022-c07546070d", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/" }, { "name": "FEDORA-2022-cac2323802", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/" }, { "name": "FEDORA-2022-eda0049dd7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/" }, { "name": "FEDORA-2022-3826c8f549", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/" }, { "name": "[oss-security] 20220512 CVE-2022-29162: runc \u003c 1.1.2 incorrect handling of inheritable capabilities in default configuration", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/05/12/1" }, { "name": "DSA-5162", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2022/dsa-5162" }, { "name": "GLSA-202401-31", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202401-31" } ], "source": { "advisory": "GHSA-2mm7-x5h6-5pvq", "discovery": "UNKNOWN" }, "title": "Default inheritable capabilities for linux container should be empty" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24769", "datePublished": "2022-03-24T00:00:00", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:49.949Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41091
Vulnerability from cvelistv5
Published
2021-10-04 20:20
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
Insufficiently restricted permissions on data directory in Docker Engine
References
▼ | URL | Tags |
---|---|---|
https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558 | x_refsource_CONFIRM | |
https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64 | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/ | vendor-advisory, x_refsource_FEDORA | |
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:59:31.575Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64" }, { "name": "FEDORA-2021-df975338d4", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003c 20.10.9" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-281", "description": "CWE-281: Improper Preservation of Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-14T10:06:37", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64" }, { "name": "FEDORA-2021-df975338d4", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ], "source": { "advisory": "GHSA-3fwx-pjgw-3558", "discovery": "UNKNOWN" }, "title": "Insufficiently restricted permissions on data directory in Docker Engine", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41091", "STATE": "PUBLIC", "TITLE": "Insufficiently restricted permissions on data directory in Docker Engine" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "moby", "version": { "version_data": [ { "version_value": "\u003c 20.10.9" } ] } } ] }, "vendor_name": "moby" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-281: Improper Preservation of Permissions" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558", "refsource": "CONFIRM", "url": "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558" }, { "name": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64", "refsource": "MISC", "url": "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64" }, { "name": "FEDORA-2021-df975338d4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ] }, "source": { "advisory": "GHSA-3fwx-pjgw-3558", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41091", "datePublished": "2021-10-04T20:20:09", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.575Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-24557
Vulnerability from cvelistv5
Published
2024-02-01 16:26
Modified
2024-08-01 23:19
Severity ?
EPSS score ?
Summary
Moby classic builder cache poisoning
References
▼ | URL | Tags |
---|---|---|
https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc | x_refsource_CONFIRM | |
https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-01T23:19:52.928Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc" }, { "name": "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003e= 25.0.0, \u003c 25.0.2" }, { "status": "affected", "version": " \u003c 24.0.9" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-02-01T17:38:40.747Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc" }, { "name": "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae" } ], "source": { "advisory": "GHSA-xw73-rw38-6vjc", "discovery": "UNKNOWN" }, "title": "Moby classic builder cache poisoning" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-24557", "datePublished": "2024-02-01T16:26:29.685Z", "dateReserved": "2024-01-25T15:09:40.208Z", "dateUpdated": "2024-08-01T23:19:52.928Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-28840
Vulnerability from cvelistv5
Published
2023-04-04 21:13
Modified
2024-08-02 13:51
Severity ?
EPSS score ?
Summary
moby/moby's dockerd daemon encrypted overlay network may be unauthenticated
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T13:51:38.250Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp" }, { "name": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw" }, { "name": "https://github.com/moby/moby/issues/43382", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/issues/43382" }, { "name": "https://github.com/moby/moby/pull/45118", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/pull/45118" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003e= 1.12.0, \u003c 20.10.24" }, { "status": "affected", "version": "\u003e= 23.0.0, \u003c 23.0.3" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*.\n\nSwarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.\n\nThe overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.\n\nEncrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.\n\nWhen setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet\u0027s VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.\n\nTwo iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded.\n\nThe injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container\u2019s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network.\n\nPatches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime\u0027s 20.10 releases are numbered differently, users of that platform should update to 20.10.16.\n\nSome workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-420", "description": "CWE-420: Unprotected Alternate Channel", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-636", "description": "CWE-636: Not Failing Securely (\u0027Failing Open\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-04-04T21:13:03.347Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp" }, { "name": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw" }, { "name": "https://github.com/moby/moby/issues/43382", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/issues/43382" }, { "name": "https://github.com/moby/moby/pull/45118", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/pull/45118" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ], "source": { "advisory": "GHSA-232p-vwff-86mp", "discovery": "UNKNOWN" }, "title": "moby/moby\u0027s dockerd daemon encrypted overlay network may be unauthenticated" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-28840", "datePublished": "2023-04-04T21:13:03.347Z", "dateReserved": "2023-03-24T16:25:34.466Z", "dateUpdated": "2024-08-02T13:51:38.250Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21285
Vulnerability from cvelistv5
Published
2021-02-02 17:55
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
Docker daemon crash during image pull of malicious image
References
▼ | URL | Tags |
---|---|---|
https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8 | x_refsource_CONFIRM | |
https://docs.docker.com/engine/release-notes/#20103 | x_refsource_MISC | |
https://github.com/moby/moby/releases/tag/v20.10.3 | x_refsource_MISC | |
https://github.com/moby/moby/releases/tag/v19.03.15 | x_refsource_MISC | |
https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30 | x_refsource_MISC | |
https://security.netapp.com/advisory/ntap-20210226-0005/ | x_refsource_CONFIRM | |
https://www.debian.org/security/2021/dsa-4865 | vendor-advisory, x_refsource_DEBIAN | |
https://security.gentoo.org/glsa/202107-23 | vendor-advisory, x_refsource_GENTOO |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:15.012Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://docs.docker.com/engine/release-notes/#20103" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/releases/tag/v20.10.3" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/releases/tag/v19.03.15" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0005/" }, { "name": "DSA-4865", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4865" }, { "name": "GLSA-202107-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202107-23" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003c 19.03.15" }, { "status": "affected", "version": "\u003e= 20.0.0, \u003c 20.10.3" } ] } ], "descriptions": [ { "lang": "en", "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-07-10T04:06:27", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8" }, { "tags": [ "x_refsource_MISC" ], "url": "https://docs.docker.com/engine/release-notes/#20103" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/releases/tag/v20.10.3" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/releases/tag/v19.03.15" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0005/" }, { "name": "DSA-4865", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4865" }, { "name": "GLSA-202107-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202107-23" } ], "source": { "advisory": "GHSA-6fj5-m822-rqx8", "discovery": "UNKNOWN" }, "title": "Docker daemon crash during image pull of malicious image", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21285", "STATE": "PUBLIC", "TITLE": "Docker daemon crash during image pull of malicious image" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "moby", "version": { "version_data": [ { "version_value": "\u003c 19.03.15" }, { "version_value": "\u003e= 20.0.0, \u003c 20.10.3" } ] } } ] }, "vendor_name": "moby" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8", "refsource": "CONFIRM", "url": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8" }, { "name": "https://docs.docker.com/engine/release-notes/#20103", "refsource": "MISC", "url": "https://docs.docker.com/engine/release-notes/#20103" }, { "name": "https://github.com/moby/moby/releases/tag/v20.10.3", "refsource": "MISC", "url": "https://github.com/moby/moby/releases/tag/v20.10.3" }, { "name": "https://github.com/moby/moby/releases/tag/v19.03.15", "refsource": "MISC", "url": "https://github.com/moby/moby/releases/tag/v19.03.15" }, { "name": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30", "refsource": "MISC", "url": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30" }, { "name": "https://security.netapp.com/advisory/ntap-20210226-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210226-0005/" }, { "name": "DSA-4865", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4865" }, { "name": "GLSA-202107-23", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202107-23" } ] }, "source": { "advisory": "GHSA-6fj5-m822-rqx8", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21285", "datePublished": "2021-02-02T17:55:16", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.012Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41089
Vulnerability from cvelistv5
Published
2021-10-04 20:20
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
`docker cp` allows unexpected chmod of host files
References
▼ | URL | Tags |
---|---|---|
https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4 | x_refsource_CONFIRM | |
https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/ | vendor-advisory, x_refsource_FEDORA | |
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:59:31.512Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a" }, { "name": "FEDORA-2021-df975338d4", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003c 20.10.9" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host\u2019s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-281", "description": "CWE-281: Improper Preservation of Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-14T10:06:38", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a" }, { "name": "FEDORA-2021-df975338d4", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ], "source": { "advisory": "GHSA-v994-f8vw-g7j4", "discovery": "UNKNOWN" }, "title": "`docker cp` allows unexpected chmod of host files", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41089", "STATE": "PUBLIC", "TITLE": "`docker cp` allows unexpected chmod of host files" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "moby", "version": { "version_data": [ { "version_value": "\u003c 20.10.9" } ] } } ] }, "vendor_name": "moby" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host\u2019s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-281: Improper Preservation of Permissions" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4", "refsource": "CONFIRM", "url": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4" }, { "name": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a", "refsource": "MISC", "url": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a" }, { "name": "FEDORA-2021-df975338d4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/" }, { "name": "FEDORA-2021-b5a9a481a2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/" }, { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf" } ] }, "source": { "advisory": "GHSA-v994-f8vw-g7j4", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41089", "datePublished": "2021-10-04T20:20:15", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.512Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21284
Vulnerability from cvelistv5
Published
2021-02-02 17:55
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
privilege escalation in Moby
References
▼ | URL | Tags |
---|---|---|
https://docs.docker.com/engine/release-notes/#20103 | x_refsource_MISC | |
https://github.com/moby/moby/releases/tag/v20.10.3 | x_refsource_MISC | |
https://github.com/moby/moby/releases/tag/v19.03.15 | x_refsource_MISC | |
https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc | x_refsource_CONFIRM | |
https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c | x_refsource_MISC | |
https://security.netapp.com/advisory/ntap-20210226-0005/ | x_refsource_CONFIRM | |
https://www.debian.org/security/2021/dsa-4865 | vendor-advisory, x_refsource_DEBIAN | |
https://security.gentoo.org/glsa/202107-23 | vendor-advisory, x_refsource_GENTOO |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:15.042Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://docs.docker.com/engine/release-notes/#20103" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/releases/tag/v20.10.3" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/releases/tag/v19.03.15" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0005/" }, { "name": "DSA-4865", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4865" }, { "name": "GLSA-202107-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202107-23" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003c 19.03.15" }, { "status": "affected", "version": "\u003e= 20.0.0, \u003c 20.10.3" } ] } ], "descriptions": [ { "lang": "en", "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-07-10T04:06:25", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://docs.docker.com/engine/release-notes/#20103" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/releases/tag/v20.10.3" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/releases/tag/v19.03.15" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0005/" }, { "name": "DSA-4865", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4865" }, { "name": "GLSA-202107-23", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202107-23" } ], "source": { "advisory": "GHSA-7452-xqpj-6rpc", "discovery": "UNKNOWN" }, "title": "privilege escalation in Moby", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21284", "STATE": "PUBLIC", "TITLE": "privilege escalation in Moby" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "moby", "version": { "version_data": [ { "version_value": "\u003c 19.03.15" }, { "version_value": "\u003e= 20.0.0, \u003c 20.10.3" } ] } } ] }, "vendor_name": "moby" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://docs.docker.com/engine/release-notes/#20103", "refsource": "MISC", "url": "https://docs.docker.com/engine/release-notes/#20103" }, { "name": "https://github.com/moby/moby/releases/tag/v20.10.3", "refsource": "MISC", "url": "https://github.com/moby/moby/releases/tag/v20.10.3" }, { "name": "https://github.com/moby/moby/releases/tag/v19.03.15", "refsource": "MISC", "url": "https://github.com/moby/moby/releases/tag/v19.03.15" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc", "refsource": "CONFIRM", "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc" }, { "name": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c", "refsource": "MISC", "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c" }, { "name": "https://security.netapp.com/advisory/ntap-20210226-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210226-0005/" }, { "name": "DSA-4865", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4865" }, { "name": "GLSA-202107-23", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202107-23" } ] }, "source": { "advisory": "GHSA-7452-xqpj-6rpc", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21284", "datePublished": "2021-02-02T17:55:22", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.042Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-28842
Vulnerability from cvelistv5
Published
2023-04-04 21:07
Modified
2024-08-02 13:51
Severity ?
EPSS score ?
Summary
moby/moby's dockerd daemon encrypted overlay network with a single endpoint is unauthenticated
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T13:51:38.540Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p" }, { "name": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "moby", "vendor": "moby", "versions": [ { "status": "affected", "version": "\u003e= 1.12.0, \u003c 20.10.24" }, { "status": "affected", "version": "\u003e= 23.0.0, \u003c 23.0.3" } ] } ], "descriptions": [ { "lang": "en", "value": "Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.\n\nSwarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.\n\nThe `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.\n\nEncrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.\n\nWhen setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet\u0027s VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.\n\nThe `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate.\n\nEncrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration.\n\nPatches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime\u0027s 20.10 releases are numbered differently, users of that platform should update to 20.10.16.\n\nSome workarounds are available. In multi-node clusters, deploy a global \u2018pause\u2019 container for each encrypted overlay network, on every node. For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-420", "description": "CWE-420: Unprotected Alternate Channel", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-636", "description": "CWE-636: Not Failing Securely (\u0027Failing Open\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-04-04T21:07:27.575Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p" }, { "name": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237" }, { "name": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/" } ], "source": { "advisory": "GHSA-6wrf-mxfj-pf5p", "discovery": "UNKNOWN" }, "title": "moby/moby\u0027s dockerd daemon encrypted overlay network with a single endpoint is unauthenticated" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-28842", "datePublished": "2023-04-04T21:07:27.575Z", "dateReserved": "2023-03-24T16:25:34.466Z", "dateUpdated": "2024-08-02T13:51:38.540Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }