7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
54.1%
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Users should update to this version when it is available. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the "USER $USERNAME"
Dockerfile instruction. Instead by calling ENTRYPOINT ["su", "-", "user"]
the supplementary groups will be set up properly.
Thanks to Steven Murdoch for reporting this issue.
If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.
This bug is fixed in Moby (Docker Engine) 20.10.18. Users should update to this version when it is available.
This problem can be worked around by not using the "USER $USERNAME"
Dockerfile instruction. Instead by calling ENTRYPOINT ["su", "-", "user"]
the supplementary groups will be set up properly.
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/moby/moby | lt | 20.10.18 |
github.com/moby/moby
github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
github.com/moby/moby/releases/tag/v20.10.18
github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
lists.fedoraproject.org/archives/list/[email protected]/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU
lists.fedoraproject.org/archives/list/[email protected]/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ
nvd.nist.gov/vuln/detail/CVE-2022-36109
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
54.1%