Veracode Vulnerability DatabaseVERACODE:48251Improper Authentication
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
github.com/moby/moby is vulnerable to Improper Authentication. The vulnerability is due to the Docker Engine handling of specially-crafted API requests, which causes authorization plugins to receive requests or responses without the body. Attackers can use this flaw to bypass AuthZ plugins and potentially perform unauthorized actions, including privilege escalation.
References
github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191
github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b
github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0
github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1
github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00
github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f
github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801
github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb
github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High