github.com/docker/docker: GHSA-v23v-6jw2-98fq, CVE-2024-41110 #28

tatianab · 2024-08-01T21:10:46Z

Advisory GHSA-v23v-6jw2-98fq references a vulnerability in the following Go modules:

Module
github.com/docker/docker
github.com/docker/docker
github.com/docker/docker
github.com/docker/docker

Description:
A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users.

Impact

Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an [authorization plugin](https://docs.docker.com/engi...

References:

ADVISORY: GHSA-v23v-6jw2-98fq
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41110
WEB: moby/moby@411e817
WEB: moby/moby@42f40b1
WEB: moby/moby@65cc597
WEB: moby/moby@852759a
WEB: moby/moby@a312606
WEB: moby/moby@a79fabb
WEB: moby/moby@ae160b4
WEB: moby/moby@ae2b366
WEB: moby/moby@cc13f95
WEB: moby/moby@fc274cd
WEB: https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin

!! Possible duplicate report !!

CVE-2024-41110 appears in 1 other report(s):
- data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 golang/vulndb#3005)

Cross references:

github.com/docker/docker appears in 72 other report(s):
- data/excluded/GO-2022-0625.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-44gg-pmqr-4669 golang/vulndb#625) NOT_IMPORTABLE
- data/excluded/GO-2022-0630.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-5qgp-p5jc-w2rm golang/vulndb#630) NOT_IMPORTABLE
- data/excluded/GO-2022-0636.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-8w94-cf6g-c8mg golang/vulndb#636) NOT_IMPORTABLE
- data/excluded/GO-2022-0640.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-997c-fj8j-rq5h golang/vulndb#640) NOT_IMPORTABLE
- data/excluded/GO-2022-0647.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g44j-7vp3-68cv golang/vulndb#647) NOT_IMPORTABLE
- data/excluded/GO-2022-0649.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g7v2-2qxx-wjrw golang/vulndb#649) NOT_IMPORTABLE
- data/excluded/GO-2022-0705.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-qmmc-jppf-32wv golang/vulndb#705) NOT_IMPORTABLE
- data/excluded/GO-2022-0752.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-wxj3-qwv4-cvfm golang/vulndb#752) NOT_IMPORTABLE
- data/excluded/GO-2023-2013.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-j249-ghv5-7mxv golang/vulndb#2013) NOT_IMPORTABLE
- data/excluded/GO-2023-2161.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-jq35-85cj-fj4p golang/vulndb#2161) NOT_IMPORTABLE
- data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 golang/vulndb#2500)
- data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 golang/vulndb#2512)
- data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 golang/vulndb#2521)
- data/reports/GO-2024-2659.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-mq39-4gv4-mvpx golang/vulndb#2659)
- data/reports/GO-2024-2737.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-32473 golang/vulndb#2737)
- data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 golang/vulndb#2913)
- data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 golang/vulndb#2914)
- data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 golang/vulndb#3005)
- data/excluded/GO-2022-0625.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-44gg-pmqr-4669 golang/vulndb#625) NOT_IMPORTABLE
- data/excluded/GO-2022-0630.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-5qgp-p5jc-w2rm golang/vulndb#630) NOT_IMPORTABLE
- data/excluded/GO-2022-0636.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-8w94-cf6g-c8mg golang/vulndb#636) NOT_IMPORTABLE
- data/excluded/GO-2022-0640.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-997c-fj8j-rq5h golang/vulndb#640) NOT_IMPORTABLE
- data/excluded/GO-2022-0647.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g44j-7vp3-68cv golang/vulndb#647) NOT_IMPORTABLE
- data/excluded/GO-2022-0649.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g7v2-2qxx-wjrw golang/vulndb#649) NOT_IMPORTABLE
- data/excluded/GO-2022-0705.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-qmmc-jppf-32wv golang/vulndb#705) NOT_IMPORTABLE
- data/excluded/GO-2022-0752.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-wxj3-qwv4-cvfm golang/vulndb#752) NOT_IMPORTABLE
- data/excluded/GO-2023-2013.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-j249-ghv5-7mxv golang/vulndb#2013) NOT_IMPORTABLE
- data/excluded/GO-2023-2161.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-jq35-85cj-fj4p golang/vulndb#2161) NOT_IMPORTABLE
- data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 golang/vulndb#2500)
- data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 golang/vulndb#2512)
- data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 golang/vulndb#2521)
- data/reports/GO-2024-2659.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-mq39-4gv4-mvpx golang/vulndb#2659)
- data/reports/GO-2024-2737.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-32473 golang/vulndb#2737)
- data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 golang/vulndb#2913)
- data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 golang/vulndb#2914)
- data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 golang/vulndb#3005)
- data/excluded/GO-2022-0625.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-44gg-pmqr-4669 golang/vulndb#625) NOT_IMPORTABLE
- data/excluded/GO-2022-0630.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-5qgp-p5jc-w2rm golang/vulndb#630) NOT_IMPORTABLE
- data/excluded/GO-2022-0636.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-8w94-cf6g-c8mg golang/vulndb#636) NOT_IMPORTABLE
- data/excluded/GO-2022-0640.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-997c-fj8j-rq5h golang/vulndb#640) NOT_IMPORTABLE
- data/excluded/GO-2022-0647.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g44j-7vp3-68cv golang/vulndb#647) NOT_IMPORTABLE
- data/excluded/GO-2022-0649.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g7v2-2qxx-wjrw golang/vulndb#649) NOT_IMPORTABLE
- data/excluded/GO-2022-0705.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-qmmc-jppf-32wv golang/vulndb#705) NOT_IMPORTABLE
- data/excluded/GO-2022-0752.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-wxj3-qwv4-cvfm golang/vulndb#752) NOT_IMPORTABLE
- data/excluded/GO-2023-2013.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-j249-ghv5-7mxv golang/vulndb#2013) NOT_IMPORTABLE
- data/excluded/GO-2023-2161.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-jq35-85cj-fj4p golang/vulndb#2161) NOT_IMPORTABLE
- data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 golang/vulndb#2500)
- data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 golang/vulndb#2512)
- data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 golang/vulndb#2521)
- data/reports/GO-2024-2659.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-mq39-4gv4-mvpx golang/vulndb#2659)
- data/reports/GO-2024-2737.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-32473 golang/vulndb#2737)
- data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 golang/vulndb#2913)
- data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 golang/vulndb#2914)
- data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 golang/vulndb#3005)
- data/excluded/GO-2022-0625.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-44gg-pmqr-4669 golang/vulndb#625) NOT_IMPORTABLE
- data/excluded/GO-2022-0630.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-5qgp-p5jc-w2rm golang/vulndb#630) NOT_IMPORTABLE
- data/excluded/GO-2022-0636.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-8w94-cf6g-c8mg golang/vulndb#636) NOT_IMPORTABLE
- data/excluded/GO-2022-0640.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-997c-fj8j-rq5h golang/vulndb#640) NOT_IMPORTABLE
- data/excluded/GO-2022-0647.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g44j-7vp3-68cv golang/vulndb#647) NOT_IMPORTABLE
- data/excluded/GO-2022-0649.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g7v2-2qxx-wjrw golang/vulndb#649) NOT_IMPORTABLE
- data/excluded/GO-2022-0705.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-qmmc-jppf-32wv golang/vulndb#705) NOT_IMPORTABLE
- data/excluded/GO-2022-0752.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-wxj3-qwv4-cvfm golang/vulndb#752) NOT_IMPORTABLE
- data/excluded/GO-2023-2013.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-j249-ghv5-7mxv golang/vulndb#2013) NOT_IMPORTABLE
- data/excluded/GO-2023-2161.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-jq35-85cj-fj4p golang/vulndb#2161) NOT_IMPORTABLE
- data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 golang/vulndb#2500)
- data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 golang/vulndb#2512)
- data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 golang/vulndb#2521)
- data/reports/GO-2024-2659.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-mq39-4gv4-mvpx golang/vulndb#2659)
- data/reports/GO-2024-2737.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-32473 golang/vulndb#2737)
- data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 golang/vulndb#2913)
- data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 golang/vulndb#2914)
- data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 golang/vulndb#3005)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/docker/docker
      non_go_versions:
        - introduced: 19.03.0
        - fixed: 23.0.14
      vulnerable_at: 27.1.1+incompatible
    - module: github.com/docker/docker
      versions:
        - introduced: 24.0.0+incompatible
        - fixed: 25.0.6+incompatible
      vulnerable_at: 25.0.5+incompatible
    - module: github.com/docker/docker
      versions:
        - introduced: 26.0.0+incompatible
        - fixed: 26.1.4+incompatible
      vulnerable_at: 26.1.3+incompatible
    - module: github.com/docker/docker
      versions:
        - introduced: 27.0.0+incompatible
        - fixed: 27.1.0+incompatible
      vulnerable_at: 27.0.3+incompatible
summary: Authz zero length regression in github.com/docker/docker
cves:
    - CVE-2024-41110
ghsas:
    - GHSA-v23v-6jw2-98fq
references:
    - advisory: https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41110
    - web: https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191
    - web: https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
    - web: https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
    - web: https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b
    - web: https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0
    - web: https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1
    - web: https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00
    - web: https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f
    - web: https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801
    - web: https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb
    - web: https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin
notes:
    - fix: 'module merge error: could not merge versions of module github.com/docker/docker: invalid or non-canonical semver version (found 19.03.0)'
source:
    id: GHSA-v23v-6jw2-98fq
    created: 2024-08-01T17:10:13.279859-04:00
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

github.com/docker/docker: GHSA-v23v-6jw2-98fq, CVE-2024-41110 #28

github.com/docker/docker: GHSA-v23v-6jw2-98fq, CVE-2024-41110 #28

tatianab commented Aug 1, 2024

github.com/docker/docker: GHSA-v23v-6jw2-98fq, CVE-2024-41110 #28

github.com/docker/docker: GHSA-v23v-6jw2-98fq, CVE-2024-41110 #28

Comments

tatianab commented Aug 1, 2024

Impact