CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
A vulnerability was found in Authorization plugins in Docker Engine (AuthZ). Using a specially-crafted API request, an Engine API client could make the daemon forward a request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request that it would have otherwise denied if the body had been forwarded to it.
bugzilla.redhat.com/show_bug.cgi?id=2299720
github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191
github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b
github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0
github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1
github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00
github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f
github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801
github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb
github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
nvd.nist.gov/vuln/detail/CVE-2024-41110
www.cve.org/CVERecord?id=CVE-2024-41110
www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin