CVE-2022-36109

2022-09-0918:15:10

CWE-863

[email protected]

web.nvd.nist.gov

112

cve

2022

36109

moby

docker engine

bug

security

containerization

supplementary groups

access restriction

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.3%

JSON

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the "USER $USERNAME" Dockerfile instruction. Instead by calling ENTRYPOINT ["su", "-", "user"] the supplementary groups will be set up properly.

Affected configurations

Vulners

NVD

Node

mobymobyRange<20.10.18

CPENameOperatorVersion
mobyproject:mobymobyproject mobylt20.10.18

CPE	Name	Operator	Version
mobyproject:moby	mobyproject moby	lt	20.10.18

CNA Affected

[
  {
    "product": "moby",
    "vendor": "moby",
    "versions": [
      {
        "status": "affected",
        "version": "< 20.10.18"
      }
    ]
  }
]