21 matches found
CVE-2018-10892
CVE-2018-10892 : In Docker/Moby, the default OCI Linux spec (oci/defaults_linux.go) from 1.11 to current does not block /proc/acpi pathnames. This allows a container to affect host hardware state (e.g., enabling/disabling Bluetooth, changing keyboard brightness) by targeting /proc/acpi, represent...
CVE-2023-28842
CVE-2023-28842 affects Moby/dockerd, specifically Swarm overlay with encrypted VXLAN: an endpoint on an encrypted overlay can be unauthenticated, allowing cleartext VXLAN traffic to be injected or leaked under certain conditions. The issue stems from how iptables rules and IPsec handling are appl...
CVE-2023-28840
CVE-2023-28840 affects Moby/dockerd with Swarm overlay networks (VXLAN) in encrypted mode. The vulnerability stems from how iptables rules (using xt_u32) enforce IPSec for encrypted overlays; admin firewall rules can override Moby’s, potentially allowing unencrypted traffic, and arbitrary Etherne...
CVE-2023-28841
CVE-2023-28841 describes a vulnerability in Moby/Docker Swarm encrypted overlay networks where, on affected platforms, encrypted overlay traffic can silently transmit unencrypted data due to how IPSec/VXLAN are enforced via iptables rules (using the xt_u32 module and VNI filtering). This can allo...
CVE-2022-24769
CVE-2022-24769 affects Moby (Docker Engine) before 20.10.14. The bug starts containers with non-empty inheritable Linux process capabilities, enabling programs with inheritable file capabilities to elevate to the container’s permitted set during execve, potentially impacting containers using Linu...
CVE-2021-41089
CVE-2021-41089 concerns Moby (Docker Engine). A bug in docker cp into a specially-crafted container can cause Unix file permission changes for existing host files, potentially widening access to others. The issue is fixed in Moby/Docker Engine 20.10.9; users should upgrade to that version. Runnin...
CVE-2024-29018
CVE-2024-29018 affects the Moby-based docker/libnetwork networking stack, where internal networks can forward DNS requests to an external nameserver due to how host loopback DNS resolution is bridged for internal networks. The issue enables an attacker controlling an authoritative DNS domain to c...
CVE-2024-24557
CVE-2024-24557 affects Moby/Docker’s classic builder cache. The risk arises when building from scratch: HEALTHCHECK and ONBUILD changes may not trigger a cache miss, enabling cache poisoning if an attacker knows the Dockerfile. Impact varies by Buildkit usage: 23.0 and earlier are broadly affecte...
CVE-2024-32473
CVE-2024-32473 affects Moby (Docker Engine/related tooling). In 26.0.0 IPv6 was not disabled on interfaces, including those with --ipv6=false, allowing containers with ipvlan/macvlan to access local networks via IPv6, potentially receive SLAAC addresses, or join IPv6 multicast groups, increasing ...
CVE-2024-36623
CVE-2024-36623: MOBY (through v25.0.3) has a race-condition vulnerability in the streamformatter package that can trigger concurrent writes, leading to data corruption or application crashes. Connected IBM/ASTRA/related advisories confirm this specific CVE id and tie it to moby v25.x with the kno...
CVE-2024-36621
Summary of CVE-2024-36621 (Moby) : IBM and Astra/Linux bulletins confirm a race condition in moby v25.0.5 within builder/builder-next/adapters/snapshot/layer.go. The vulnerability can trigger concurrent builds that call EnsureLayer, leading to resource leaks or exhaustion. The issue is due to imp...
CVE-2024-36620
CVE-2024-36620 affects moby v25.0.0–v26.0.2. IBM notes a NULL pointer dereference in daemon/images/image_history.go (CWE-476), which can crash the daemon. Affected versions are moby 25.0.0–26.0.2. The provided documents do not include a direct vendor patch or remediation steps for moby; a related...
CVE-2021-41091
CVE-2021-41091 concerns Moby (Docker Engine). A bug in the Docker Engine data directory (/var/lib/docker) left subdirectories with weak permissions, enabling unprivileged host users to traverse contents and, if containers held executables with elevated bits (e.g., setuid), to discover and run tho...
CVE-2022-36109
CVE-2022-36109 concerns a bug in Moby/Docker Engine where supplementary groups are not set up correctly inside a container. An attacker with access to a container could manipulate supplementary group access to bypass primary group restrictions, potentially exposing sensitive information or enabli...
CVE-2022-27652
CVE-2022-27652 relates to a security regression in cri-o/OpenShift container components where containers could be started with inheritable capabilities improperly. The Red Hat advisories note that the issue involves adding the fix for CVE-2022-27652 to certain OpenShift releases, and that older O...
CVE-2025-54388
CVE-2025-54388 affects Moby/Docker Engine. In versions 28.2.0–28.3.2, reloading firewalld can wipe all iptables rules, including Docker-created ones. Docker should recreate these rules, but prior to 28.3.3 it fails to recreate the specific rules that block external access to containers. As a resu...
CVE-2025-54410
CVE-2025-54410 affects Moby (Docker Engine, Mirantis Container Runtime, and downstreams). A firewalld-related issue causes Docker to fail to re-create iptables rules that isolate bridge networks when firewalld reloads, allowing containers to reach ports across bridge networks on the same host. Th...
CVE-2026-41568
CVE-2026-41568 describes a race condition in Moby/Docker Engine during docker cp mount setup. A malicious container could create empty files or directories at arbitrary absolute paths on the host filesystem. Affected versions include Docker Engine prior to 29.5.1, Docker Daemon prior to 28.5.2, a...
CVE-2017-16539
CVE-2017-16539 affects Docker Moby up to 17.03.2-ce: DefaultLinuxSpec does not block /proc/scsi pathnames, enabling data loss via writing a scsi remove-single-device line to /proc/scsi/scsi (SCSI MICDROP). Connected docs indicate this issue is addressed in later Docker/SUSE advisories (e.g., dock...
CVE-2018-12608
Docker Moby before 17.06.0 is affected by a TLS authentication flaw: the engine validates client certificates against both the configured CA and system roots (on non‑Windows). This lets a client presenting a certificate signed by any system‑trusted root CA authenticate, instead of only certificat...
CVE-2026-42306
CVE-2026-42306 affects Moby/Docker: a race condition during docker cp mount setup could redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. Affected are Docker Engine prior to 29.5.1, Docker Daemon 28.5.2 and earlier, and Moby D...