CVE-2024-24557 Moby classic builder cache poisoning

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions most important being HEALTHCHECK and ONBUILD would not cause a cache miss. An...

CVE-2024-24557

CVE-2024-24557 affects Moby/Docker’s classic builder cache. The risk arises when building from scratch: HEALTHCHECK and ONBUILD changes may not trigger a cache miss, enabling cache poisoning if an attacker knows the Dockerfile. Impact varies by Buildkit usage: 23.0 and earlier are broadly affecte...

CVE-2024-24557 Moby classic builder cache poisoning

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions most important being HEALTHCHECK and ONBUILD would not cause a cache miss. An...

CVE-2024-24557

Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions most important being HEALTHCHECK and ONBUILD would not cause a cache miss. An...

Exploit for File Descriptor Leak in Linuxfoundation Runc

CVE-2024-21626-POC Instructions For educational/research pu...

Exploit for Path Traversal in Jenkins

Jenkins CVE-2024-23897 PoC A proof-of-concept PoC for CVE-2...

Docker Authentication Bypass

An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root...

GHSA-QRQR-3X5J-2XW9 Docker Authentication Bypass

An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root...

GHSA-6FJ5-M822-RQX8 moby docker daemon crash during image pull of malicious image

Impact Pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Patches Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. Credits Maintainers would like to thank Josh Larsen, Ian Coldwater, Duffie Cooley, Rory McCune for working on th...

moby Access to remapped root allows privilege escalation to real root

Impact When using --userns-remap, if the root user in the remapped namespace has access to the host filesystem they can modify files under /var/lib/docker/ that cause writing files with extended privileges. Patches Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation fr...

GHSA-7452-XQPJ-6RPC moby Access to remapped root allows privilege escalation to real root

Impact When using --userns-remap, if the root user in the remapped namespace has access to the host filesystem they can modify files under /var/lib/docker/ that cause writing files with extended privileges. Patches Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation fr...

GHSA-XR7R-F8XQ-VFVV runc vulnerable to container breakout through process.cwd trickery and leaked fds

Impact In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process from runc exec to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem "attack 2". Th...

GHSA-M3R6-H7WV-7XXV vulnerabilities

Vulnerabilities for packages: conftest, skaffold, datadog-agent, buildkitd, guac, trivy, scorecard, kaniko, docker, kubescape, zot...

GHSA-4V98-7QMW-RQR8 vulnerabilities

Vulnerabilities for packages: conftest, datadog-agent-fips, skaffold, datadog-agent, buildkitd, conftest-fips, guac, trivy, scorecard, kaniko, docker, kubescape, zot...

GHSA-4V98-7QMW-RQR8 vulnerabilities

Vulnerabilities for packages: conftest, skaffold, datadog-agent, buildkitd, guac, trivy, scorecard, kaniko, docker, kubescape, zot...

CVE-2024-23651 vulnerabilities

Vulnerabilities for packages: conftest, datadog-agent-fips, skaffold, datadog-agent, buildkitd, conftest-fips, guac, trivy, scorecard, kaniko, docker, kubescape, zot...

CVE-2024-23652 vulnerabilities

Vulnerabilities for packages: conftest, datadog-agent-fips, skaffold, datadog-agent, buildkitd, conftest-fips, guac, trivy, scorecard, kaniko, docker, kubescape, zot...

CVE-2024-23653 vulnerabilities

Vulnerabilities for packages: conftest, datadog-agent-fips, skaffold, datadog-agent, buildkitd, conftest-fips, guac, trivy, scorecard, kaniko, docker, kubescape, zot...

CVE-2024-23651 vulnerabilities

Vulnerabilities for packages: conftest, skaffold, datadog-agent, buildkitd, guac, trivy, scorecard, kaniko, docker, kubescape, zot...

CVE-2024-23652 vulnerabilities

Vulnerabilities for packages: conftest, skaffold, datadog-agent, buildkitd, guac, trivy, scorecard, kaniko, docker, kubescape, zot...