mobyv22.06.0-beta.0: 17 vulnerabilities (highest severity is: 10.0) #15
Description
Vulnerable Library - mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (1)
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (mobyv22.06.0-beta.0 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-23652 |  Critical |
10.0 | mobyv22.06.0-beta.0 | Direct | N/A | ❌ |
| CVE-2024-41110 | Critical |
9.9 | mobyv22.06.0-beta.0 | Direct | N/A | ❌ |
| CVE-2024-23653 | Critical |
9.8 | detected in multiple dependencies | Direct | N/A | ❌ |
| CVE-2024-23651 |  High |
8.7 | detected in multiple dependencies | Direct | N/A | ❌ |
| CVE-2024-21626 | High |
8.6 | mobyv22.06.0-beta.0 | Direct | N/A | ❌ |
| CVE-2024-36623 | High |
8.1 | mobyv22.06.0-beta.0 | Direct | N/A | ❌ |
| WS-2023-0316 | High |
7.5 | mobyv22.06.0-beta.0 | Direct | v0.2.4 | ❌ |
| CVE-2023-47108 | High |
7.5 | mobyv22.06.0-beta.0 | Direct | N/A | ❌ |
| CVE-2023-45142 | High |
7.5 | mobyv22.06.0-beta.0 | Direct | N/A | ❌ |
| CVE-2023-44487 | High |
7.5 | detected in multiple dependencies | Direct | org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0, kubernetes/apiserver- v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0 | ❌ |
| CVE-2024-24557 |  Medium |
6.9 | detected in multiple dependencies | Direct | N/A | ❌ |
| CVE-2024-36621 | Medium |
6.5 | detected in multiple dependencies | Direct | N/A | ❌ |
| CVE-2023-2253 | Medium |
6.5 | detected in multiple dependencies | Direct | v2.8.2 | ❌ |
| CVE-2023-25153 | Medium |
6.2 | mobyv22.06.0-beta.0 | Direct | N/A | ❌ |
| CVE-2024-29018 | Medium |
5.9 | detected in multiple dependencies | Direct | N/A | ❌ |
| CVE-2024-23650 | Medium |
5.3 | detected in multiple dependencies | Direct | N/A | ❌ |
| CVE-2023-25173 | Medium |
5.3 | mobyv22.06.0-beta.0 | Direct | v1.5.18,v1.6.18 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-23652
Vulnerable Library - mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.
Publish Date: 2024-01-31
URL: CVE-2024-23652
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
CVE-2024-41110
Vulnerable Library - mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.
Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.
docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.
Publish Date: 2024-07-24
URL: CVE-2024-41110
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2024-23653
Vulnerable Libraries - mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (3)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (3)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (3)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (3)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (3)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (3)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (3)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (3)
Found in base branch: master
Vulnerability Details
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special "security.insecure" entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.
Publish Date: 2024-01-31
URL: CVE-2024-23653
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2024-23651
Vulnerable Libraries - mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
Found in base branch: master
Vulnerability Details
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.
Publish Date: 2024-01-31
URL: CVE-2024-23651
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
CVE-2024-21626
Vulnerable Library - mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
Publish Date: 2024-01-31
URL: CVE-2024-21626
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2024-36623
Vulnerable Library - mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.
Publish Date: 2024-11-29
URL: CVE-2024-36623
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
WS-2023-0316
Vulnerable Library - mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs.
It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.
Publish Date: 2024-11-03
URL: WS-2023-0316
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-6xv5-86q9-7xr8
Release Date: 2023-09-06
Fix Resolution: v0.2.4
CVE-2023-47108
Vulnerable Library - mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels "net.peer.sock.addr" and "net.peer.sock.port" that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing "otelgrpc.WithMeterProvider" option with "noop.NewMeterProvider".
Publish Date: 2023-11-10
URL: CVE-2023-47108
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2023-45142
Vulnerable Library - mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels "http.user_agent" and "http.method" that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses "httpconv.ServerRequest" that records every value for HTTP "method" and "User-Agent". In order to be affected, a program has to use the "otelhttp.NewHandler" wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute "http.request.method" were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, "otelhttp.WithFilter()" can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label "unknown" non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.
Publish Date: 2023-10-12
URL: CVE-2023-45142
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2023-44487
Vulnerable Libraries - mobyv22.06.0-beta.0, mobyv22.06.0-beta.0
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (1)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (1)
Found in base branch: master
Vulnerability Details
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0, kubernetes/apiserver- v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
CVE-2024-24557
Vulnerable Libraries - mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
Found in base branch: master
Vulnerability Details
Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.
Publish Date: 2024-02-01
URL: CVE-2024-24557
CVSS 3 Score Details (6.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
CVE-2024-36621
Vulnerable Libraries - mobyv22.06.0-beta.0, mobyv22.06.0-beta.0
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
Found in base branch: master
Vulnerability Details
moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.
Publish Date: 2024-11-29
URL: CVE-2024-36621
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2023-2253
Vulnerable Libraries - mobyv22.06.0-beta.0, mobyv22.06.0-beta.0
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (1)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (1)
Found in base branch: master
Vulnerability Details
A flaw was found in the /v2/_catalog endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: n). This vulnerability allows a malicious user to submit an unreasonably large value for n, causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Publish Date: 2023-06-06
URL: CVE-2023-2253
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-hqxw-f8mx-cpmw
Release Date: 2023-04-24
Fix Resolution: v2.8.2
CVE-2023-25153
Vulnerable Library - mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
Publish Date: 2023-02-16
URL: CVE-2023-25153
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2024-29018
Vulnerable Libraries - mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (1)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (1)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (1)
Found in base branch: master
Vulnerability Details
Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the "--internal" flag is used to designate a network as internal. The "internal" attribute in a docker-compose.yml file may also be used to mark a network internal, and other API clients may specify the "internal" parameter as well.
When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.
Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.
In addition to configuring the Linux kernel's various networking features to enable container networking, "dockerd" directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.
When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.
As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved.
Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, "dockerd" detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected.
Because "dockerd" forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.
Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address.
Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-03-20
URL: CVE-2024-29018
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
CVE-2024-23650
Vulnerable Libraries - mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0, mobyv22.06.0-beta.0
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Vulnerable Source Files (2)
Found in base branch: master
Vulnerability Details
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.
Publish Date: 2024-01-31
URL: CVE-2024-23650
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
CVE-2023-25173
Vulnerable Library - mobyv22.06.0-beta.0
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Library home page: https://github.com/moby/moby.git
Found in base branch: master
Vulnerable Source Files (1)
Vulnerability Details
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well.
This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the ""USER $USERNAME"" Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to "ENTRYPOINT ["su", "-", "user"]" to allow "su" to properly set up supplementary groups.
Publish Date: 2023-02-16
URL: CVE-2023-25173
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-hmfx-3pcx-653p
Release Date: 2023-02-16
Fix Resolution: v1.5.18,v1.6.18