Vulnerabilites related to mobyproject - moby
Vulnerability from fkie_nvd
Published
2024-03-20 21:15
Modified
2025-04-09 15:40
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.
When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.
Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.
In addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.
When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.
As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.
Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.
Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.
Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.
Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * | |
| mobyproject | moby | * | |
| mobyproject | moby | 26.0.0 | |
| mobyproject | moby | 26.0.0 | |
| mobyproject | moby | 26.0.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "F4E13D47-6199-4B46-B318-A62AEEAE309F", versionEndExcluding: "23.0.11", vulnerable: true, }, { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "01ABEA35-A81E-4340-81DB-EECFBBE53A4A", versionEndExcluding: "25.0.5", versionStartIncluding: "24.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mobyproject:moby:26.0.0:rc1:*:*:*:*:*:*", matchCriteriaId: "38622C05-D42E-4CE6-B0E4-BAF3BE755FB7", vulnerable: true, }, { criteria: "cpe:2.3:a:mobyproject:moby:26.0.0:rc2:*:*:*:*:*:*", matchCriteriaId: "40F72F18-4490-4AB7-8918-EE9F97C0696D", vulnerable: true, }, { criteria: "cpe:2.3:a:mobyproject:moby:26.0.0:rc3:*:*:*:*:*:*", matchCriteriaId: "73634C7C-CEBD-4ADC-8DF5-E1907A4FD37A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\n\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\n\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\n\nIn addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\n\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\n\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\n\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\n\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\n\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\n\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.", }, { lang: "es", value: "Moby es un marco de contenedores de código abierto que es un componente clave de Docker Engine, Docker Desktop y otras distribuciones de herramientas o tiempos de ejecución de contenedores. La implementación de redes de Moby permite definir muchas redes, cada una con su propio rango de direcciones IP y puerta de enlace. Esta característica se conoce frecuentemente como redes personalizadas, ya que cada red puede tener un controlador, un conjunto de parámetros y, por lo tanto, comportamientos diferentes. Al crear una red, el indicador `--internal` se utiliza para designar una red como _internal_. El atributo \"interno\" en un archivo docker-compose.yml también se puede usar para marcar una red como _interna_, y otros clientes API también pueden especificar el parámetro \"interno\". Cuando se crean contenedores con redes, se les asignan interfaces de red y direcciones IP únicas. El host sirve como enrutador para redes no internas, con una IP de puerta de enlace que proporciona SNAT/DNAT hacia/desde las IP del contenedor. Los contenedores en una red interna pueden comunicarse entre sí, pero no pueden comunicarse con ninguna red a la que el host tenga acceso (LAN o WAN), ya que no hay una ruta predeterminada configurada y las reglas de firewall están configuradas para eliminar todo el tráfico saliente. Es posible la comunicación con la dirección IP de la puerta de enlace (y, por lo tanto, con los servicios de host configurados adecuadamente), y el host puede comunicarse directamente con cualquier IP de contenedor. Además de configurar las diversas funciones de red del kernel de Linux para habilitar la red de contenedores, `dockerd` proporciona directamente algunos servicios a las redes de contenedores. El principal de ellos es servir como solucionador, permitiendo el descubrimiento de servicios y la resolución de nombres desde un solucionador ascendente. Cuando se recibe una solicitud de DNS para un nombre que no corresponde a un contenedor, la solicitud se reenvía al solucionador ascendente configurado. Esta solicitud se realiza desde el espacio de nombres de la red del contenedor: el nivel de acceso y enrutamiento del tráfico es el mismo que si la solicitud la realizara el propio contenedor. Como consecuencia de este diseño, los contenedores conectados únicamente a una red interna no podrán resolver nombres utilizando el solucionador ascendente, ya que el contenedor en sí no puede comunicarse con ese servidor de nombres. Sólo se pueden resolver los nombres de los contenedores también conectados a la red interna. Muchos sistemas ejecutan un solucionador de DNS de reenvío local. Como el host y cualquier contenedor tienen dispositivos de loopback separados, una consecuencia del diseño descrito anteriormente es que los contenedores no pueden resolver nombres desde el solucionador configurado del host, ya que no pueden alcanzar estas direcciones en el dispositivo de loopback del host. Para cerrar esta brecha y permitir que los contenedores resuelvan nombres correctamente incluso cuando se utiliza un solucionador de reenvío local en una dirección de loopback, `dockerd` detecta este escenario y en su lugar reenvía solicitudes DNS desde el espacio de nombres del trabajo de nombres del host. Luego, el solucionador de bucle invertido reenvía las solicitudes a sus solucionadores ascendentes configurados, como se esperaba. Debido a que `dockerd` reenvía solicitudes de DNS al dispositivo de bucle invertido del host, omitiendo por completo la semántica de enrutamiento normal del espacio de nombres de la red del contenedor, las redes internas pueden reenviar solicitudes de DNS inesperadamente a un servidor de nombres externo. Al registrar un dominio para el cual controlan los servidores de nombres autorizados, un atacante podría hacer que un contenedor comprometido extraiga datos codificándolos en consultas DNS que eventualmente serán respondidas por sus servidores de nombres.---TRUNCADO---", }, ], id: "CVE-2024-29018", lastModified: "2025-04-09T15:40:20.030", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-03-20T21:15:31.113", references: [ { source: "security-advisories@github.com", tags: [ "Issue Tracking", ], url: "https://github.com/moby/moby/pull/46609", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", ], url: "https://github.com/moby/moby/pull/46609", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-669", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-669", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-04-04 22:15
Modified
2024-11-21 07:56
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
8.7 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
8.7 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Summary
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*.
Swarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.
The overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.
Two iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded.
The injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network.
Patches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * | |
| mobyproject | moby | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "E7027BE5-D31C-40E5-81A4-A91028A687B3", versionEndExcluding: "20.10.24", versionStartIncluding: "1.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "911C8E32-9EC6-4AAD-93CD-C1880D06E3AD", versionEndExcluding: "23.0.3", versionStartIncluding: "23.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*.\n\nSwarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.\n\nThe overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.\n\nEncrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.\n\nWhen setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.\n\nTwo iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded.\n\nThe injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network.\n\nPatches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.\n\nSome workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.", }, { lang: "es", value: "Moby es un framework de contenedores de código abierto desarrollado por Docker Inc. que se distribuye como Docker, Mirantis Container Runtime y varios otros proyectos/productos posteriores. El componente Moby daemon (`dockerd`), que se desarrolla como moby/moby, se conoce comúnmente como *Docker*. El modo Swarm, que se compila y entrega de forma predeterminada en Dockerd y, por lo tanto, está presente en la mayoría de las principales versiones de Moby, es un orquestador de contenedores integrado y simple que se implementa mediante una combinación de SwarmKit y código de red de soporte. El controlador de red superpuesta es una característica central del modo Swarm, que proporciona LAN virtuales aisladas que permiten la comunicación entre contenedores y servicios en todo el clúster. Este controlador es una implementación/usuario de VXLAN, que encapsula tramas de capa de enlace (Ethernet) en datagramas UDP que etiquetan la trama con un ID de red VXLAN (VNI) que identifica la red superpuesta de origen. Además, el controlador de red superpuesta admite un modo cifrado opcional, desactivado de forma predeterminada, que resulta especialmente útil cuando los paquetes VXLAN atraviesan una red que no es de confianza entre nodos. Las redes superpuestas cifradas funcionan encapsulando los datagramas VXLAN mediante el uso del protocolo IPsec Encapsulating Security Payload en modo Transporte. Al implementar la encapsulación IPSec, las redes superpuestas cifradas obtienen propiedades adicionales de autenticación de origen mediante prueba criptográfica, integridad de datos mediante suma de verificación y confidencialidad mediante cifrado. Al configurar un endpoint en una red superpuesta cifrada, Moby instala tres reglas de iptables (firewall del kernel de Linux) que aplican IPSec tanto entrante como saliente. Estas reglas se basan en la extensión u32 iptables proporcionada por el módulo del kernel xt_u32 para filtrar directamente el campo VNI de un paquete VXLAN, de modo que las garantías IPSec se puedan aplicar en redes superpuestas cifradas sin interferir con otras redes superpuestas u otros usuarios de VXLAN. Dos reglas de iptables sirven para filtrar datagramas VXLAN entrantes con un VNI que corresponde a una red cifrada y descarta los datagramas no cifrados. Las reglas se agregan al final de la cadena de filtros de ENTRADA, siguiendo las reglas que haya establecido previamente el administrador del sistema. Las reglas establecidas por el administrador tienen prioridad sobre las reglas que Moby establece para descartar datagramas VXLAN no cifrados, que potencialmente pueden admitir datagramas no cifrados que deberían haberse descartado. La inyección de tramas Ethernet arbitrarias puede permitir un ataque de denegación de servicio. Un atacante sofisticado puede establecer una conexión UDP o TCP a través de la puerta de enlace de salida del contenedor que, de otro modo, sería bloqueada por un firewall con estado, o llevar a cabo otras escaladas más allá de la simple inyección mediante el contrabando de paquetes en la red superpuesta. Los parches están disponibles en las versiones 23.0.3 y 20.10.24 de Moby. Como las versiones 20.10 de Mirantis Container Runtime tienen numeración diferente, los usuarios de esa plataforma deben actualizar a la versión 20.10.16. Algunos workarounds están disponibles. Cierre el puerto VXLAN (de forma predeterminada, el puerto UDP 4789) al tráfico entrante en el límite de Internet para evitar toda inyección de paquetes VXLAN y/o asegúrese de que el módulo del kernel `xt_u32` esté disponible en todos los nodos del clúster Swarm.", }, ], id: "CVE-2023-28840", lastModified: "2024-11-21T07:56:07.997", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 4.7, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.7, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.8, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-04-04T22:15:07.853", references: [ { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/moby/moby/issues/43382", }, { source: "security-advisories@github.com", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/moby/moby/pull/45118", }, { source: "security-advisories@github.com", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/moby/moby/issues/43382", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/moby/moby/pull/45118", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-420", }, { lang: "en", value: "CWE-636", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-203", }, { lang: "en", value: "CWE-755", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-04 21:15
Modified
2024-11-21 06:25
Severity ?
6.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Summary
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * | |
| fedoraproject | fedora | 34 | |
| fedoraproject | fedora | 35 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "83825875-76D7-4BB9-BB49-86568EBE67E9", versionEndExcluding: "20.10.9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.", }, { lang: "es", value: "Moby es un proyecto de código abierto creado por Docker para permitir la contención de software. Se encontró un error en Moby (Docker Engine) en el que el directorio de datos (normalmente \"/var/lib/docker\") contenía subdirectorios con permisos insuficientemente restringidos, lo que permitía a usuarios de Linux no privilegiados saltar el contenido del directorio y ejecutar programas. Cuando los contenedores incluían programas ejecutables con bits de permiso extendidos (como \"setuid\"), los usuarios no privilegiados de Linux podían detectar y ejecutar esos programas. Cuando el UID de un usuario de Linux no privilegiados en el host colisionaba con el propietario o el grupo de un archivo dentro de un contenedor, el usuario de Linux no privilegiados en el host podía descubrir, leer y modificar esos archivos. Este bug ha sido corregido en Moby (Docker Engine) versión 20.10.9. Usuarios deberían actualizar a esta versión lo antes posible. Los contenedores en ejecución deben ser detenidos y reiniciados para que los permisos sean corregidos. Para usuarios que no puedan actualizar, limite el acceso al host a usuarios confiables. Limite el acceso a los volúmenes del host a los contenedores confiables", }, ], id: "CVE-2021-41091", lastModified: "2024-11-21T06:25:26.587", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2, impactScore: 3.7, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2, impactScore: 3.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-04T21:15:12.680", references: [ { source: "security-advisories@github.com", url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-281", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-732", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-03-24 20:15
Modified
2024-11-21 06:51
Severity ?
5.9 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
5.9 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
5.9 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * | |
| linux | linux_kernel | - | |
| fedoraproject | fedora | 34 | |
| fedoraproject | fedora | 35 | |
| fedoraproject | fedora | 36 | |
| linuxfoundation | runc | * | |
| debian | debian_linux | 11.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "251599F9-5922-4381-8D28-A663B2CEA315", versionEndExcluding: "20.10.14", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", matchCriteriaId: "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*", matchCriteriaId: "1266D0BA-8DDB-43DF-A1A0-D5CE23BE27C1", versionEndExcluding: "1.1.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.", }, { lang: "es", value: "Moby es un proyecto de código abierto creado por Docker para permitir y acelerar la contención de software. Fue encontrado un bug en Moby (Docker Engine) versiones anteriores a 20.10.14, en el que los contenedores eran iniciados incorrectamente con capacidades de proceso Linux heredables no vacías, creando un entorno Linux atípico y permitiendo que los programas con capacidades de archivo heredables elevaran esas capacidades al conjunto permitido durante \"execve(2)\". Normalmente, cuando los programas ejecutables presentan capacidades de archivo permitidas especificadas, los usuarios y procesos no privilegiados pueden ejecutar esos programas y conseguir las capacidades de archivo especificadas hasta el conjunto permitido. Debido a este bug, los contenedores que incluían programas ejecutables con capacidades de archivo heredables permitían que usuarios y procesos no privilegiados consiguieran adicionalmente estas capacidades de archivo heredables hasta el conjunto de límites del contenedor. Los contenedores que usan usuarios y grupos de Linux para llevar a cabo la separación de privilegios dentro del contenedor son los más directamente afectados. Este bug no afectaba a la caja de arena de seguridad del contenedor, ya que el conjunto heredable nunca contenía más capacidades que las incluidas en el conjunto delimitador del contenedor. Este bug ha sido corregido en Moby (Docker Engine) versión 20.10.14. Los contenedores en ejecución deben detenerse, eliminarse y volver a crearse para que sean restablecidas las capacidades heredables. Esta corrección cambia el comportamiento de Moby (Docker Engine) para que los contenedores se inicien con un entorno Linux más típico. Como medida de mitigación, el punto de entrada de un contenedor puede modificarse para usar una utilidad como \"capsh(1)\" para eliminar las capacidades heredables antes de que sea iniciado el proceso primario", }, ], id: "CVE-2022-24769", lastModified: "2024-11-21T06:51:03.593", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.5, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.5, impactScore: 3.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-03-24T20:15:09.493", references: [ { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/05/12/1", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/moby/moby/releases/tag/v20.10.14", }, { source: "security-advisories@github.com", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/", }, { source: "security-advisories@github.com", url: "https://security.gentoo.org/glsa/202401-31", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5162", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/05/12/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://github.com/moby/moby/releases/tag/v20.10.14", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202401-31", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5162", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-732", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-732", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-04-04 22:15
Modified
2024-11-21 07:56
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Summary
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.
Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.
The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.
An iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation.
Encrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees.
It is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed.
Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * | |
| mobyproject | moby | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "E7027BE5-D31C-40E5-81A4-A91028A687B3", versionEndExcluding: "20.10.24", versionStartIncluding: "1.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "911C8E32-9EC6-4AAD-93CD-C1880D06E3AD", versionEndExcluding: "23.0.3", versionStartIncluding: "23.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.\n\nSwarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.\n\nThe `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.\n\nEncrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.\n\nWhen setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.\n\nAn iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation.\n\nEncrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees.\n\nIt is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed.\n\nPatches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.\n\nSome workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.", }, { lang: "es", value: "Moby es un framework de contenedores de código abierto desarrollado por Docker Inc. que se distribuye como Docker, Mirantis Container Runtime y varios otros proyectos/productos posteriores. El componente Moby daemon (`dockerd`), que se desarrolla como moby/moby, se conoce comúnmente como *Docker*. El modo Swarm, que se compila y entrega de forma predeterminada en \"dockerd\" y, por lo tanto, está presente en la mayoría de las principales versiones de Moby, es un orquestador de contenedores simple e integrado que se implementa mediante una combinación de SwarmKit y código de red de soporte. El controlador de red \"superpuesto\" es una característica central del modo Swarm, que proporciona LAN virtuales aisladas que permiten la comunicación entre contenedores y servicios en todo el clúster. Este controlador es una implementación/usuario de VXLAN, que encapsula tramas de capa de enlace (Ethernet) en datagramas UDP que etiquetan la trama con los metadatos de VXLAN, incluido un ID de red VXLAN (VNI) que identifica la red superpuesta de origen. Además, el controlador de red superpuesta admite un modo cifrado opcional, desactivado de forma predeterminada, que resulta especialmente útil cuando los paquetes VXLAN atraviesan una red que no es de confianza entre nodos. Las redes superpuestas cifradas funcionan encapsulando los datagramas VXLAN mediante el uso del protocolo IPsec Encapsulating Security Payload en modo Transporte. Al implementar la encapsulación IPSec, las redes superpuestas cifradas obtienen propiedades adicionales de autenticación de origen mediante prueba criptográfica, integridad de datos mediante suma de verificación y confidencialidad mediante cifrado.Al configurar un endpoint en una red superpuesta cifrada, Moby instala tres reglas de iptables (firewall del kernel de Linux) que aplican IPSec tanto entrante como saliente. Estas reglas se basan en la extensión iptables `u32` proporcionada por el módulo del kernel `xt_u32` para filtrar directamente el campo VNI de un paquete VXLAN, de modo que las garantías IPSec se puedan aplicar en redes superpuestas cifradas sin interferir con otras redes superpuestas u otros usuarios de VXLAN. Una regla de iptables designa datagramas VXLAN salientes con un VNI que corresponde a una red superpuesta cifrada para encapsulación IPsec. Las redes superpuestas cifradas en las plataformas afectadas transmiten silenciosamente datos no cifrados. Como resultado, las redes \"superpuestas\" pueden parecer funcionales, pasando el tráfico como se esperaba, pero sin ninguna de las garantías esperadas de confidencialidad o integridad de los datos. Es posible que un atacante ubicado en una posición confiable en la red lea todo el tráfico de aplicaciones que se mueve a través de la red superpuesta, lo que resulta en secretos inesperados o divulgación de datos del usuario. Por lo tanto, debido a que muchos protocolos de bases de datos, API internas, etc. no están protegidos por una segunda capa de cifrado, un usuario puede utilizar redes superpuestas cifradas Swarm para proporcionar confidencialidad, que debido a esta vulnerabilidad ya no está garantizada. Los parches están disponibles en las versiones 23.0.3 y 20.10.24 de Moby. Como las versiones 20.10 de Mirantis Container Runtime tienen numeración diferente, los usuarios de esa plataforma deben actualizar a la versión 20.10.16. Algunos workarounds están disponibles. Cierre el puerto VXLAN (de forma predeterminada, el puerto UDP 4789) al tráfico saliente en el límite de Internet para evitar fugas involuntarias de tráfico no cifrado a través de Internet y/o asegúrese de que el módulo del kernel `xt_u32` esté disponible en todos los nodos del grupo Swarm.", }, ], id: "CVE-2023-28841", lastModified: "2024-11-21T07:56:08.160", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-04-04T22:15:07.937", references: [ { source: "security-advisories@github.com", tags: [ "Product", ], url: "https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/moby/moby/issues/43382", }, { source: "security-advisories@github.com", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/moby/moby/pull/45118", }, { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { source: "security-advisories@github.com", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/moby/moby/issues/43382", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/moby/moby/pull/45118", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-311", }, { lang: "en", value: "CWE-636", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-311", }, { lang: "en", value: "CWE-755", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-01 17:15
Modified
2024-11-21 08:59
Severity ?
6.9 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * | |
| mobyproject | moby | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "8334C2EE-69C4-42D5-89C3-00C77A880F08", versionEndExcluding: "24.0.9", vulnerable: true, }, { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "D9331CA9-E92E-4D37-8C87-92F6D4418C4A", versionEndExcluding: "25.0.2", versionStartIncluding: "25.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.", }, { lang: "es", value: "Moby es un proyecto de código abierto creado por Docker para permitir la contenedorización de software. El sistema de caché del constructor clásico es propenso a envenenar el caché si la imagen se crea DESDE scratch. Además, los cambios en algunas instrucciones (las más importantes son HEALTHCHECK y ONBUILD) no provocarían una pérdida de caché. Un atacante con conocimiento del Dockerfile que alguien está usando podría envenenar su caché al obligarlo a extraer una imagen especialmente manipulada que se consideraría como un candidato de caché válido para algunos pasos de compilación. Los usuarios de 23.0+ solo se ven afectados si optaron explícitamente por no participar en Buildkit (variable de entorno DOCKER_BUILDKIT=0) o si están usando el endpoint API /build. Todos los usuarios con versiones anteriores a la 23.0 podrían verse afectados. El punto final de la API de creación de imágenes (/build) y la función ImageBuild de github.com/docker/docker/client también se ven afectados ya que utiliza el generador clásico de forma predeterminada. Los parches se incluyen en las versiones 24.0.9 y 25.0.2.", }, ], id: "CVE-2024-24557", lastModified: "2024-11-21T08:59:24.603", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.9, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", version: "3.1", }, exploitabilityScore: 1, impactScore: 5.3, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-01T17:15:10.953", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-345", }, { lang: "en", value: "CWE-346", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-346", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-04 21:15
Modified
2024-11-21 06:25
Severity ?
2.8 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
6.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Summary
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * | |
| fedoraproject | fedora | 34 | |
| fedoraproject | fedora | 35 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "83825875-76D7-4BB9-BB49-86568EBE67E9", versionEndExcluding: "20.10.9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.", }, { lang: "es", value: "Moby es un proyecto de código abierto creado por Docker para permitir la contenedorización de software. Se ha encontrado un fallo en Moby (Docker Engine) en el que el intento de copiar archivos mediante `docker cp` en un contenedor especialmente diseñado puede dar lugar a cambios en los permisos de archivos Unix para los archivos existentes en el sistema de archivos del host, ampliando el acceso a otros. Este fallo no permite directamente la lectura, modificación o ejecución de archivos sin un proceso adicional que coopere. Este error ha sido corregido en Moby (Docker Engine) 20.10.9. Los usuarios deben actualizar a esta versión lo antes posible. Los contenedores en ejecución no necesitan ser reiniciados", }, ], id: "CVE-2021-41089", lastModified: "2024-11-21T06:25:26.147", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 3.4, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.8, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.1, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2, impactScore: 3.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-04T21:15:12.620", references: [ { source: "security-advisories@github.com", url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-281", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-281", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-04-04 22:15
Modified
2024-11-21 07:56
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Summary
Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.
Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.
The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.
The `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate.
Encrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration.
Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Some workarounds are available. In multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network, on every node. For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * | |
| mobyproject | moby | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "E7027BE5-D31C-40E5-81A4-A91028A687B3", versionEndExcluding: "20.10.24", versionStartIncluding: "1.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "911C8E32-9EC6-4AAD-93CD-C1880D06E3AD", versionEndExcluding: "23.0.3", versionStartIncluding: "23.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.\n\nSwarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.\n\nThe `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.\n\nEncrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.\n\nWhen setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.\n\nThe `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate.\n\nEncrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration.\n\nPatches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.\n\nSome workarounds are available. In multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network, on every node. For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec.", }, { lang: "es", value: "Moby) es un framework de contenedores de código abierto desarrollado por Docker Inc. que se distribuye como Docker, Mirantis Container Runtime y varios otros proyectos/productos posteriores. El componente Moby daemon (`dockerd`), que se desarrolla como moby/moby, se conoce comúnmente como *Docker*. El modo Swarm, que se compila y entrega de forma predeterminada en \"dockerd\" y, por lo tanto, está presente en la mayoría de las principales versiones de Moby, es un orquestador de contenedores simple e integrado que se implementa mediante una combinación de SwarmKit y soportando un código de red. El controlador de red \"superpuesto\" es una característica central del modo Swarm, que proporciona LAN virtuales aisladas que permiten la comunicación entre contenedores y servicios en todo el clúster. Este controlador es una implementación/usuario de VXLAN, que encapsula tramas de capa de enlace (Ethernet) en datagramas UDP que etiquetan la trama con los metadatos de VXLAN, incluido un ID de red VXLAN (VNI) que identifica la red superpuesta de origen. Además, el controlador de red superpuesta admite un modo cifrado opcional, desactivado de forma predeterminada, que resulta especialmente útil cuando los paquetes VXLAN atraviesan una red que no es de confianza entre nodos. Las redes superpuestas cifradas funcionan encapsulando los datagramas VXLAN mediante el uso del protocolo IPsec Encapsulating Security Payload en modo Transporte. Al implementar la encapsulación IPSec, las redes superpuestas cifradas obtienen propiedades adicionales de autenticación de origen mediante prueba criptográfica, integridad de datos mediante suma de verificación y confidencialidad mediante cifrado. Al configurar un endpoint en una red superpuesta cifrada, Moby instala tres reglas de iptables (firewall del kernel de Linux) que aplican IPSec tanto entrante como saliente. Estas reglas se basan en la extensión iptables `u32` proporcionada por el módulo del kernel `xt_u32` para filtrar directamente el campo VNI de un paquete VXLAN, de modo que las garantías IPSec se puedan aplicar en redes superpuestas cifradas sin interferir con otras redes superpuestas u otros usuarios de VXLAN. El controlador `overlay` define de forma dinámica y perezosa la configuración del kernel para la red VXLAN en cada nodo a medida que los contenedores se conectan y desconectan. Las rutas y los parámetros de cifrado solo se definen para los nodos de destino que participan en la red. Las reglas de iptables que impiden que las redes superpuestas cifradas acepten paquetes no cifrados no se crean hasta que haya un interlocutor disponible con el que comunicarse. Las redes superpuestas cifradas aceptan silenciosamente datagramas VXLAN de texto sin cifrar etiquetados con el VNI de una red superpuesta cifrada. Como resultado, es posible inyectar tramas Ethernet arbitrarias en la red superpuesta cifrada encapsulándolas en datagramas VXLAN. Las implicaciones de esto pueden ser bastante nefastas, y se debe hacer referencia a GHSA-vwm3-crmr-xfxw para una exploración más profunda. Los parches están disponibles en las versiones 23.0.3 y 20.10.24 de Moby. Como las versiones 20.10 de Mirantis Container Runtime tienen numeración diferente, los usuarios de esa plataforma deben actualizar a la versión 20.10.16. Algunos workarounds están disponibles. En clústeres de múltiples nodos, implemente un contenedor de \"pausa\" global para cada red superpuesta cifrada, en cada nodo. Para un clúster de un solo nodo, no utilice redes superpuestas de ningún tipo. Las redes puente brindan la misma conectividad en un solo nodo y no tienen funciones de múltiples nodos. La función de ingreso de Swarm se implementa usando una red superpuesta, pero se puede deshabilitar publicando puertos en modo \"host\" en lugar del modo \"ingress\" (permitiendo el uso de un balanceador de carga externo) y eliminando la red de \"ingress\". Si las redes superpuestas cifradas son de uso exclusivo, bloquee el puerto UDP 4789 del tráfico que no haya sido validado por IPSec.", }, ], id: "CVE-2023-28842", lastModified: "2024-11-21T07:56:08.310", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-04-04T22:15:08.007", references: [ { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { source: "security-advisories@github.com", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { source: "security-advisories@github.com", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-420", }, { lang: "en", value: "CWE-636", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-755", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-11-04 17:29
Modified
2024-11-21 03:16
Severity ?
Summary
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "147B0438-E92F-488A-A86F-9489FE88E0CD", versionEndIncluding: "17.03.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a \"scsi remove-single-device\" line to /proc/scsi/scsi, aka SCSI MICDROP.", }, { lang: "es", value: "La función DefaultLinuxSpec en oci/defaults.go en Docker Moby en versiones hasta la 17.03.2-ce no bloquea nombres de ruta /proc/scsi, lo que permite que los atacantes provoquen una pérdida de información (cuando se utilizan ciertos kernels de Linux más antiguos) aprovechando el acceso al contenedor Docker para escribir una línea \"scsi remove-single-device\" en /proc/scsi/scsi. Esto también se conoce como SCSI MICDROP.", }, ], id: "CVE-2017-16539", lastModified: "2024-11-21T03:16:32.233", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-11-04T17:29:00.207", references: [ { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/pull/35399", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://marc.info/?l=linux-scsi&m=150985062200941&w=2", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://marc.info/?l=linux-scsi&m=150985455801444&w=2", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://twitter.com/ewindisch/status/926443521820774401", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/pull/35399", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://marc.info/?l=linux-scsi&m=150985062200941&w=2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://marc.info/?l=linux-scsi&m=150985455801444&w=2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://twitter.com/ewindisch/status/926443521820774401", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-04-18 17:15
Modified
2024-11-21 06:56
Severity ?
Summary
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2066839 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6 | Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2066839 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6 | Mitigation, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| kubernetes | cri-o | - | |
| fedoraproject | fedora | 35 | |
| mobyproject | moby | * | |
| redhat | openshift_container_platform | 3.11 | |
| redhat | openshift_container_platform | 4.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:kubernetes:cri-o:-:*:*:*:*:*:*:*", matchCriteriaId: "A283D260-73A3-481A-9E98-4C4604020B83", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "251599F9-5922-4381-8D28-A663B2CEA315", versionEndExcluding: "20.10.14", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", matchCriteriaId: "2F87326E-0B56-4356-A889-73D026DB1D4B", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", matchCriteriaId: "932D137F-528B-4526-9A89-CD59FA1AB0FE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.", }, { lang: "es", value: "Se ha encontrado un fallo en cri-o, donde los contenedores eran iniciados incorrectamente con permisos por defecto no vacíos. Se ha encontrado una vulnerabilidad en Moby (Docker Engine) donde los contenedores se iniciaban incorrectamente con capacidades de proceso Linux heredables no vacías. Este fallo permite a un atacante con acceso a programas con capacidades de archivo heredables elevar esas capacidades al conjunto permitido cuando es ejecutado execve(2)", }, ], id: "CVE-2022-27652", lastModified: "2024-11-21T06:56:06.357", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-04-18T17:15:16.977", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066839", }, { source: "secalert@redhat.com", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066839", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-276", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-276", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-09-09 18:15
Modified
2025-01-17 13:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Summary
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * | |
| fedoraproject | fedora | 36 | |
| fedoraproject | fedora | 37 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "6E6EEA64-3516-4248-BE60-F537623DA9E8", versionEndExcluding: "20.10.18", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `\"USER $USERNAME\"` Dockerfile instruction. Instead by calling `ENTRYPOINT [\"su\", \"-\", \"user\"]` the supplementary groups will be set up properly.", }, { lang: "es", value: "Moby es un proyecto de código abierto creado por Docker para permitir una contención de software. Ha sido encontrado un bug en Moby (Docker Engine) en el que los grupos complementarios no son configurados apropiadamente. Si un atacante presenta acceso directo a un contenedor y manipula su acceso a grupos suplementarios, puede ser capaz de usar el acceso a grupos suplementarios para omitir las restricciones de grupos primarios en algunos casos, obteniendo potencialmente acceso a información confidencial o ganando la capacidad de ejecutar código en ese contenedor. Este error ha sido corregido en Moby (Docker Engine) versión 20.10.18. Los contenedores en ejecución deben ser detenidos y reiniciados para que los permisos sean corregidos. Para usuarios que no puedan actualizar, este problema puede mitigarse al no usar la instrucción \"\"USER $USERNAME\"\" de Dockerfile. En su lugar, llamando a \"ENTRYPOINT [\"su\", \"-\", \"user\"]\" los grupos complementarios serán configurados apropiadamente", }, ], id: "CVE-2022-36109", lastModified: "2025-01-17T13:15:19.993", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-09-09T18:15:10.540", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/moby/moby/releases/tag/v20.10.18", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ", }, { source: "security-advisories@github.com", url: "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/moby/moby/releases/tag/v20.10.18", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-07-06 16:29
Modified
2024-11-21 03:42
Severity ?
Summary
The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:docker:docker:*:*:*:*:community_edition:*:*:*", matchCriteriaId: "6033CE00-E28D-4404-8386-20D74CFFF2C8", versionEndIncluding: "18.03.1", versionStartIncluding: "1.11", vulnerable: true, }, { criteria: "cpe:2.3:a:docker:docker:*:*:*:*:enterprise_edition:*:*:*", matchCriteriaId: "F59AB755-83AE-4ABF-A678-65FCF025F5A2", versionEndIncluding: "18.03.1", versionStartIncluding: "1.11", vulnerable: true, }, { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "667695F0-B7F9-40E5-B520-92FFCC8B42EC", versionEndIncluding: "17.03.2", versionStartIncluding: "1.11", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*", matchCriteriaId: "4D4AC996-B340-4A14-86F7-FF83B4D5EC8F", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", matchCriteriaId: "51EF4996-72F4-4FA4-814F-F5991E7A8318", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", matchCriteriaId: "F1E78106-58E6-4D59-990F-75DA575BFAD9", vulnerable: true, }, { criteria: "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", matchCriteriaId: "B620311B-34A3-48A6-82DF-6F078D7A4493", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.", }, { lang: "es", value: "La especificación OCI por defecto de Linux en oci/defaults{_linux}.go en Docker y Moby desde la versión 1.11 hasta la más actual no bloquea los nombres de ruta /proc/acpi. El error permite que un atacante modifique el hardware del host, como habilitar/deshabilitar el bluetooth o subir/bajar el brillo del teclado.", }, ], id: "CVE-2018-10892", lastModified: "2024-11-21T03:42:14.383", metrics: { cvssMetricV2: [ { acInsufInfo: true, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.0", }, exploitabilityScore: 2, impactScore: 3.7, source: "secalert@redhat.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-07-06T16:29:00.150", references: [ { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHBA-2018:2796", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:2482", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:2729", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10892", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://github.com/moby/moby/pull/37404", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHBA-2018:2796", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:2482", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:2729", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10892", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/moby/moby/pull/37404", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-250", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2018-09-10 17:29
Modified
2024-11-21 03:45
Severity ?
Summary
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/moby/moby/pull/33182 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/moby/moby/pull/33182 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mobyproject | moby | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", matchCriteriaId: "779519D6-D1A3-464C-9ECD-601E87099FFD", versionEndExcluding: "17.06.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.", }, { lang: "es", value: "Se ha descubierto un problema en Docker Moby, en versiones anteriores a la 17.06.0. EL motor Docker validó el certificado TLS del cliente mediante el certificado root del CA del cliente configurado y todos los roots del sistema en sistemas que no son Windows. Esto permitió que un cliente con cualquier certificado de dominio validado por una CA root en la que confía el sistema (al contrario que otro firmado por la CA root configurada) para autenticarse", }, ], id: "CVE-2018-12608", lastModified: "2024-11-21T03:45:32.067", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-09-10T17:29:00.287", references: [ { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/pull/33182", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/moby/moby/pull/33182", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-295", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
cve-2023-28841
Vulnerability from cvelistv5
Published
2023-04-04 21:12
Modified
2025-02-13 16:48
Severity ?
EPSS score ?
Summary
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.
Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.
The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.
An iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation.
Encrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees.
It is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed.
Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T13:51:38.268Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { name: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { name: "https://github.com/moby/moby/issues/43382", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/issues/43382", }, { name: "https://github.com/moby/moby/pull/45118", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/pull/45118", }, { name: "https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-28841", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-10T21:32:19.333443Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-10T21:32:23.447Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "moby", vendor: "moby", versions: [ { status: "affected", version: ">= 1.12.0, < 20.10.24", }, { status: "affected", version: ">= 23.0.0, < 23.0.3", }, ], }, ], descriptions: [ { lang: "en", value: "Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.\n\nSwarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.\n\nThe `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.\n\nEncrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.\n\nWhen setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.\n\nAn iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation.\n\nEncrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees.\n\nIt is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed.\n\nPatches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.\n\nSome workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-311", description: "CWE-311: Missing Encryption of Sensitive Data", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-636", description: "CWE-636: Not Failing Securely ('Failing Open')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-15T20:06:27.951Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { name: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { name: "https://github.com/moby/moby/issues/43382", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/issues/43382", }, { name: "https://github.com/moby/moby/pull/45118", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/pull/45118", }, { name: "https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, ], source: { advisory: "GHSA-33pg-m6jh-5237", discovery: "UNKNOWN", }, title: "moby/moby's dockerd daemon encrypted overlay network traffic may be unencrypted", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-28841", datePublished: "2023-04-04T21:12:17.406Z", dateReserved: "2023-03-24T16:25:34.466Z", dateUpdated: "2025-02-13T16:48:54.707Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-28840
Vulnerability from cvelistv5
Published
2023-04-04 21:13
Modified
2025-02-13 16:48
Severity ?
EPSS score ?
Summary
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*.
Swarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.
The overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.
Two iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded.
The injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network.
Patches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T13:51:38.250Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { name: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { name: "https://github.com/moby/moby/issues/43382", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/issues/43382", }, { name: "https://github.com/moby/moby/pull/45118", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/pull/45118", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-28840", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-10T21:31:15.735065Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-10T21:31:41.188Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "moby", vendor: "moby", versions: [ { status: "affected", version: ">= 1.12.0, < 20.10.24", }, { status: "affected", version: ">= 23.0.0, < 23.0.3", }, ], }, ], descriptions: [ { lang: "en", value: "Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*.\n\nSwarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.\n\nThe overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.\n\nEncrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.\n\nWhen setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.\n\nTwo iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded.\n\nThe injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network.\n\nPatches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.\n\nSome workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-420", description: "CWE-420: Unprotected Alternate Channel", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-636", description: "CWE-636: Not Failing Securely ('Failing Open')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-15T20:06:20.926Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { name: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { name: "https://github.com/moby/moby/issues/43382", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/issues/43382", }, { name: "https://github.com/moby/moby/pull/45118", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/pull/45118", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, ], source: { advisory: "GHSA-232p-vwff-86mp", discovery: "UNKNOWN", }, title: "moby/moby's dockerd daemon encrypted overlay network may be unauthenticated", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-28840", datePublished: "2023-04-04T21:13:03.347Z", dateReserved: "2023-03-24T16:25:34.466Z", dateUpdated: "2025-02-13T16:48:53.710Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-16539
Vulnerability from cvelistv5
Published
2017-11-04 17:00
Modified
2024-08-05 20:27
Severity ?
EPSS score ?
Summary
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
References
| ▼ | URL | Tags |
|---|---|---|
| https://marc.info/?l=linux-scsi&m=150985455801444&w=2 | x_refsource_MISC | |
| https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1 | x_refsource_MISC | |
| https://marc.info/?l=linux-scsi&m=150985062200941&w=2 | x_refsource_MISC | |
| https://github.com/moby/moby/pull/35399 | x_refsource_MISC | |
| https://twitter.com/ewindisch/status/926443521820774401 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:27:03.794Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://marc.info/?l=linux-scsi&m=150985455801444&w=2", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://marc.info/?l=linux-scsi&m=150985062200941&w=2", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/pull/35399", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://twitter.com/ewindisch/status/926443521820774401", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-11-04T00:00:00", descriptions: [ { lang: "en", value: "The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a \"scsi remove-single-device\" line to /proc/scsi/scsi, aka SCSI MICDROP.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-11-05T04:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://marc.info/?l=linux-scsi&m=150985455801444&w=2", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1", }, { tags: [ "x_refsource_MISC", ], url: "https://marc.info/?l=linux-scsi&m=150985062200941&w=2", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/pull/35399", }, { tags: [ "x_refsource_MISC", ], url: "https://twitter.com/ewindisch/status/926443521820774401", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-16539", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a \"scsi remove-single-device\" line to /proc/scsi/scsi, aka SCSI MICDROP.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://marc.info/?l=linux-scsi&m=150985455801444&w=2", refsource: "MISC", url: "https://marc.info/?l=linux-scsi&m=150985455801444&w=2", }, { name: "https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1", refsource: "MISC", url: "https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1", }, { name: "https://marc.info/?l=linux-scsi&m=150985062200941&w=2", refsource: "MISC", url: "https://marc.info/?l=linux-scsi&m=150985062200941&w=2", }, { name: "https://github.com/moby/moby/pull/35399", refsource: "MISC", url: "https://github.com/moby/moby/pull/35399", }, { name: "https://twitter.com/ewindisch/status/926443521820774401", refsource: "MISC", url: "https://twitter.com/ewindisch/status/926443521820774401", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-16539", datePublished: "2017-11-04T17:00:00", dateReserved: "2017-11-04T00:00:00", dateUpdated: "2024-08-05T20:27:03.794Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-29018
Vulnerability from cvelistv5
Published
2024-03-20 20:27
Modified
2024-08-13 17:00
Severity ?
EPSS score ?
Summary
Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.
When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.
Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.
In addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.
When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.
As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.
Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.
Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.
Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.
Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx | x_refsource_CONFIRM | |
| https://github.com/moby/moby/pull/46609 | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T01:03:51.630Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx", }, { name: "https://github.com/moby/moby/pull/46609", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/pull/46609", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "moby", vendor: "mobyproject", versions: [ { lessThan: "23.0.11", status: "affected", version: "0", versionType: "custom", }, { lessThan: "25.0.5", status: "affected", version: "25.0.0", versionType: "custom", }, { lessThan: "26.0.0-rc3", status: "affected", version: "26.0.0-rc1", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-29018", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-03-28T19:09:14.709513Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-13T17:00:25.512Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "moby", vendor: "moby", versions: [ { status: "affected", version: ">= 26.0.0-rc1, < 26.0.0-rc3", }, { status: "affected", version: ">= 25.0.0, < 25.0.5", }, { status: "affected", version: "< 23.0.11", }, ], }, ], descriptions: [ { lang: "en", value: "Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.\n\nWhen containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.\n\nContainers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.\n\nIn addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.\n\nWhen a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.\n\nAs a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.\n\nMany systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.\n\nBecause `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.\n\nDocker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.\n\nMoby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-669", description: "CWE-669: Incorrect Resource Transfer Between Spheres", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-03-20T20:27:00.491Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx", }, { name: "https://github.com/moby/moby/pull/46609", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/pull/46609", }, ], source: { advisory: "GHSA-mq39-4gv4-mvpx", discovery: "UNKNOWN", }, title: "External DNS requests from 'internal' networks could lead to data exfiltration", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-29018", datePublished: "2024-03-20T20:27:00.491Z", dateReserved: "2024-03-14T16:59:47.610Z", dateUpdated: "2024-08-13T17:00:25.512Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-24769
Vulnerability from cvelistv5
Published
2022-03-24 00:00
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T04:20:49.949Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq", }, { tags: [ "x_transferred", ], url: "https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f", }, { tags: [ "x_transferred", ], url: "https://github.com/moby/moby/releases/tag/v20.10.14", }, { name: "FEDORA-2022-e9a09c1a7d", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/", }, { name: "FEDORA-2022-ed53f2439a", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/", }, { name: "FEDORA-2022-c07546070d", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/", }, { name: "FEDORA-2022-cac2323802", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/", }, { name: "FEDORA-2022-eda0049dd7", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/", }, { name: "FEDORA-2022-3826c8f549", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/", }, { name: "[oss-security] 20220512 CVE-2022-29162: runc < 1.1.2 incorrect handling of inheritable capabilities in default configuration", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/05/12/1", }, { name: "DSA-5162", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5162", }, { name: "GLSA-202401-31", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "moby", vendor: "moby", versions: [ { status: "affected", version: "< 20.10.14", }, ], }, ], descriptions: [ { lang: "en", value: "Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-732", description: "CWE-732: Incorrect Permission Assignment for Critical Resource", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-31T13:06:22.056004", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq", }, { url: "https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f", }, { url: "https://github.com/moby/moby/releases/tag/v20.10.14", }, { name: "FEDORA-2022-e9a09c1a7d", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/", }, { name: "FEDORA-2022-ed53f2439a", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/", }, { name: "FEDORA-2022-c07546070d", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/", }, { name: "FEDORA-2022-cac2323802", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/", }, { name: "FEDORA-2022-eda0049dd7", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/", }, { name: "FEDORA-2022-3826c8f549", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/", }, { name: "[oss-security] 20220512 CVE-2022-29162: runc < 1.1.2 incorrect handling of inheritable capabilities in default configuration", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/05/12/1", }, { name: "DSA-5162", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5162", }, { name: "GLSA-202401-31", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202401-31", }, ], source: { advisory: "GHSA-2mm7-x5h6-5pvq", discovery: "UNKNOWN", }, title: "Default inheritable capabilities for linux container should be empty", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-24769", datePublished: "2022-03-24T00:00:00", dateReserved: "2022-02-10T00:00:00", dateUpdated: "2024-08-03T04:20:49.949Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41089
Vulnerability from cvelistv5
Published
2021-10-04 20:20
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4 | x_refsource_CONFIRM | |
| https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/ | vendor-advisory, x_refsource_FEDORA | |
| https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:59:31.512Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a", }, { name: "FEDORA-2021-df975338d4", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { name: "FEDORA-2021-b5a9a481a2", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "moby", vendor: "moby", versions: [ { status: "affected", version: "< 20.10.9", }, ], }, ], descriptions: [ { lang: "en", value: "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.8, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-281", description: "CWE-281: Improper Preservation of Permissions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-06-14T10:06:38", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a", }, { name: "FEDORA-2021-df975338d4", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { name: "FEDORA-2021-b5a9a481a2", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, ], source: { advisory: "GHSA-v994-f8vw-g7j4", discovery: "UNKNOWN", }, title: "`docker cp` allows unexpected chmod of host files", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-41089", STATE: "PUBLIC", TITLE: "`docker cp` allows unexpected chmod of host files", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "moby", version: { version_data: [ { version_value: "< 20.10.9", }, ], }, }, ], }, vendor_name: "moby", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 2.8, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-281: Improper Preservation of Permissions", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4", refsource: "CONFIRM", url: "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4", }, { name: "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a", refsource: "MISC", url: "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a", }, { name: "FEDORA-2021-df975338d4", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { name: "FEDORA-2021-b5a9a481a2", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { name: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", refsource: "CONFIRM", url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, ], }, source: { advisory: "GHSA-v994-f8vw-g7j4", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-41089", datePublished: "2021-10-04T20:20:15", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-08-04T02:59:31.512Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-10892
Vulnerability from cvelistv5
Published
2018-07-06 16:00
Modified
2024-08-05 07:54
Severity ?
EPSS score ?
Summary
The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/moby/moby/pull/37404 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2018:2729 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:2482 | vendor-advisory, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10892 | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html | vendor-advisory, x_refsource_SUSE | |
| https://access.redhat.com/errata/RHBA-2018:2796 | vendor-advisory, x_refsource_REDHAT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T07:54:34.913Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/moby/moby/pull/37404", }, { name: "RHSA-2018:2729", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2729", }, { name: "RHSA-2018:2482", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2482", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10892", }, { name: "openSUSE-SU-2019:2021", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html", }, { name: "RHBA-2018:2796", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHBA-2018:2796", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "docker", vendor: "[UNKNOWN]", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-07-05T00:00:00", descriptions: [ { lang: "en", value: "The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-250", description: "CWE-250", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2019-09-20T07:06:08", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/moby/moby/pull/37404", }, { name: "RHSA-2018:2729", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2729", }, { name: "RHSA-2018:2482", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2482", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10892", }, { name: "openSUSE-SU-2019:2021", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html", }, { name: "RHBA-2018:2796", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHBA-2018:2796", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2018-10892", datePublished: "2018-07-06T16:00:00", dateReserved: "2018-05-09T00:00:00", dateUpdated: "2024-08-05T07:54:34.913Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-27652
Vulnerability from cvelistv5
Published
2022-04-18 16:20
Modified
2024-08-03 05:32
Severity ?
EPSS score ?
Summary
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2066839 | x_refsource_MISC | |
| https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T05:32:59.921Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066839", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "cri-o", vendor: "n/a", versions: [ { status: "affected", version: "Affects all versions.", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-276", description: "CWE-276 - Incorrect Default Permissions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-18T16:20:29", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066839", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2022-27652", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "cri-o", version: { version_data: [ { version_value: "Affects all versions.", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-276 - Incorrect Default Permissions", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=2066839", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066839", }, { name: "https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6", refsource: "MISC", url: "https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2022-27652", datePublished: "2022-04-18T16:20:29", dateReserved: "2022-03-22T00:00:00", dateUpdated: "2024-08-03T05:32:59.921Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-28842
Vulnerability from cvelistv5
Published
2023-04-04 21:07
Modified
2025-02-13 16:48
Severity ?
EPSS score ?
Summary
Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.
Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.
The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.
Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.
The `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate.
Encrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration.
Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Some workarounds are available. In multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network, on every node. For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec.
References
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T13:51:38.540Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { name: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-28842", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-10T21:32:48.323374Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-10T21:32:59.329Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "moby", vendor: "moby", versions: [ { status: "affected", version: ">= 1.12.0, < 20.10.24", }, { status: "affected", version: ">= 23.0.0, < 23.0.3", }, ], }, ], descriptions: [ { lang: "en", value: "Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*.\n\nSwarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.\n\nThe `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.\n\nEncrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.\n\nWhen setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.\n\nThe `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate.\n\nEncrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration.\n\nPatches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.\n\nSome workarounds are available. In multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network, on every node. For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-420", description: "CWE-420: Unprotected Alternate Channel", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-636", description: "CWE-636: Not Failing Securely ('Failing Open')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-15T20:06:33.396Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p", }, { name: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237", }, { name: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", }, ], source: { advisory: "GHSA-6wrf-mxfj-pf5p", discovery: "UNKNOWN", }, title: "moby/moby's dockerd daemon encrypted overlay network with a single endpoint is unauthenticated", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-28842", datePublished: "2023-04-04T21:07:27.575Z", dateReserved: "2023-03-24T16:25:34.466Z", dateUpdated: "2025-02-13T16:48:55.735Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-24557
Vulnerability from cvelistv5
Published
2024-02-01 16:26
Modified
2024-08-01 23:19
Severity ?
EPSS score ?
Summary
Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc | x_refsource_CONFIRM | |
| https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:19:52.928Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc", }, { name: "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "moby", vendor: "moby", versions: [ { status: "affected", version: ">= 25.0.0, < 25.0.2", }, { status: "affected", version: " < 24.0.9", }, ], }, ], descriptions: [ { lang: "en", value: "Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.9, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-346", description: "CWE-346: Origin Validation Error", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-345", description: "CWE-345: Insufficient Verification of Data Authenticity", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-01T17:38:40.747Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc", }, { name: "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae", }, ], source: { advisory: "GHSA-xw73-rw38-6vjc", discovery: "UNKNOWN", }, title: "Moby classic builder cache poisoning", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-24557", datePublished: "2024-02-01T16:26:29.685Z", dateReserved: "2024-01-25T15:09:40.208Z", dateUpdated: "2024-08-01T23:19:52.928Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-12608
Vulnerability from cvelistv5
Published
2018-09-10 17:00
Modified
2024-08-05 08:38
Severity ?
EPSS score ?
Summary
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/moby/moby/pull/33182 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T08:38:06.338Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/pull/33182", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-09-10T00:00:00", descriptions: [ { lang: "en", value: "An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-09-10T17:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/pull/33182", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-12608", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/moby/moby/pull/33182", refsource: "MISC", url: "https://github.com/moby/moby/pull/33182", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-12608", datePublished: "2018-09-10T17:00:00", dateReserved: "2018-06-21T00:00:00", dateUpdated: "2024-08-05T08:38:06.338Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-36109
Vulnerability from cvelistv5
Published
2022-09-09 17:20
Modified
2025-01-17 13:07
Severity ?
EPSS score ?
Summary
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T09:52:00.643Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/releases/tag/v20.10.18", }, { name: "FEDORA-2022-b027a13a39", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/", }, { name: "FEDORA-2022-8298607490", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "moby", vendor: "moby", versions: [ { status: "affected", version: "< 20.10.18", }, ], }, ], descriptions: [ { lang: "en", value: "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `\"USER $USERNAME\"` Dockerfile instruction. Instead by calling `ENTRYPOINT [\"su\", \"-\", \"user\"]` the supplementary groups will be set up properly.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863: Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-17T13:07:54.013Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4", }, { name: "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32", }, { name: "https://github.com/moby/moby/releases/tag/v20.10.18", tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/releases/tag/v20.10.18", }, { name: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU", tags: [ "x_refsource_MISC", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU", }, { name: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ", tags: [ "x_refsource_MISC", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ", }, { name: "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation", tags: [ "x_refsource_MISC", ], url: "https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation", }, ], source: { advisory: "GHSA-rc4r-wh2q-q6c4", discovery: "UNKNOWN", }, title: "Moby vulnerability relating to supplementary group permissions", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-36109", datePublished: "2022-09-09T17:20:11", dateReserved: "2022-07-15T00:00:00", dateUpdated: "2025-01-17T13:07:54.013Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41091
Vulnerability from cvelistv5
Published
2021-10-04 20:20
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558 | x_refsource_CONFIRM | |
| https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64 | x_refsource_MISC | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/ | vendor-advisory, x_refsource_FEDORA | |
| https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:59:31.575Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64", }, { name: "FEDORA-2021-df975338d4", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { name: "FEDORA-2021-b5a9a481a2", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "moby", vendor: "moby", versions: [ { status: "affected", version: "< 20.10.9", }, ], }, ], descriptions: [ { lang: "en", value: "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-281", description: "CWE-281: Improper Preservation of Permissions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-06-14T10:06:37", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64", }, { name: "FEDORA-2021-df975338d4", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { name: "FEDORA-2021-b5a9a481a2", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, ], source: { advisory: "GHSA-3fwx-pjgw-3558", discovery: "UNKNOWN", }, title: "Insufficiently restricted permissions on data directory in Docker Engine", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-41091", STATE: "PUBLIC", TITLE: "Insufficiently restricted permissions on data directory in Docker Engine", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "moby", version: { version_data: [ { version_value: "< 20.10.9", }, ], }, }, ], }, vendor_name: "moby", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-281: Improper Preservation of Permissions", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558", refsource: "CONFIRM", url: "https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558", }, { name: "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64", refsource: "MISC", url: "https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64", }, { name: "FEDORA-2021-df975338d4", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", }, { name: "FEDORA-2021-b5a9a481a2", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", }, { name: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", refsource: "CONFIRM", url: "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", }, ], }, source: { advisory: "GHSA-3fwx-pjgw-3558", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-41091", datePublished: "2021-10-04T20:20:09", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-08-04T02:59:31.575Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }