CVE - CVE-2024-41110

CVE-ID
CVE-2024-41110	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191 URL:https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191 MISC:https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76 URL:https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76 MISC:https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919 URL:https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919 MISC:https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b URL:https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b MISC:https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0 URL:https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0 MISC:https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1 URL:https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1 MISC:https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00 URL:https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00 MISC:https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f URL:https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f MISC:https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801 URL:https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801 MISC:https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb URL:https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb MISC:https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq URL:https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq MISC:https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin URL:https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20240715	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240715)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)