CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32843
https://notcve.org/view.php?id=CVE-2021-32843
17 Feb 2023 — HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, `virtio.c` has is a call to `vc_cfgread` that does not check for null which when called makes the host crash. This issue may lead to a guest crashing the host causing a denial of service. This issue is fixed in commit df0e46c7dbfd81a957d85e449ba41b52f6f7beb4. • https://github.com/moby/hyperkit/commit/df0e46c7dbfd81a957d85e449ba41b52f6f7beb4 • CWE-476: NULL Pointer Dereference •
CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32844
https://notcve.org/view.php?id=CVE-2021-32844
17 Feb 2023 — HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, ` vi_pci_write` has is a call to `vc_cfgwrite` that does not check for null which when called makes the host crash. This issue may lead to a guest crashing the host causing a denial of service. This issue is fixed in commit 451558fe8aaa8b24e02e34106e3bb9fe41d7ad13. • https://github.com/moby/hyperkit/commit/451558fe8aaa8b24e02e34106e3bb9fe41d7ad13 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32846 – Moby HyperKit uninitialized memory use in virtio-sock pci_vtsock_proc_tx
https://notcve.org/view.php?id=CVE-2021-32846
17 Feb 2023 — HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107, function `pci_vtsock_proc_tx` in `virtio-sock` can lead to to uninitialized memory use. In this situation, there is a check for the return value to be less or equal to `VTSOCK_MAXSEGS`, but that check is not sufficient because the function can return `-1` if it finds an error it cannot recover from. Moreover, the negative return value will be used by `iovec_pull` in a while condition that can further lead ... • https://github.com/moby/hyperkit/commit/af5eba2360a7351c08dfd9767d9be863a50ebaba • CWE-754: Improper Check for Unusual or Exceptional Conditions CWE-908: Use of Uninitialized Resource •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32845 – Moby HyperKit uninitialized memory use vtrnd pci_vtrnd_notify
https://notcve.org/view.php?id=CVE-2021-32845
17 Feb 2023 — HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior of HyperKit, the implementation of `qnotify` at `pci_vtrnd_notify` fails to check the return value of `vq_getchain`. This leads to `struct iovec iov;` being uninitialized and used to read memory in `len = (int) read(sc->vrsc_fd, iov.iov_base, iov.iov_len);` when an attacker is able to make `vq_getchain` fail. This issue may lead to a guest crashing the host causing a denial of service and, under c... • https://github.com/moby/hyperkit/commit/41272a980197917df8e58ff90642d14dec8fe948 • CWE-252: Unchecked Return Value CWE-908: Use of Uninitialized Resource •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-36109 – Moby vulnerability relating to supplementary group permissions
https://notcve.org/view.php?id=CVE-2022-36109
09 Sep 2022 — Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Mo... • https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-27652 – cri-o: Default inheritable capabilities for linux container should be empty
https://notcve.org/view.php?id=CVE-2022-27652
18 Apr 2022 — A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. Se ha encontrado un fallo en cri-o, donde los contenedores eran iniciados incorrectamente con permisos po... • https://bugzilla.redhat.com/show_bug.cgi?id=2066839 • CWE-276: Incorrect Default Permissions •
CVSS: 5.9EPSS: 0%CPEs: 7EXPL: 0CVE-2022-24769 – Default inheritable capabilities for linux container should be empty
https://notcve.org/view.php?id=CVE-2022-24769
24 Mar 2022 — Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, ot... • http://www.openwall.com/lists/oss-security/2022/05/12/1 • CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41089 – `docker cp` allows unexpected chmod of host files
https://notcve.org/view.php?id=CVE-2021-41089
04 Oct 2021 — Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should u... • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf • CWE-281: Improper Preservation of Permissions •
CVSS: 6.3EPSS: 4%CPEs: 3EXPL: 3CVE-2021-41091 – Insufficiently restricted permissions on data directory in Docker Engine
https://notcve.org/view.php?id=CVE-2021-41091
04 Oct 2021 — Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. Wh... • https://github.com/UncleJ4ck/CVE-2021-41091 • CWE-281: Improper Preservation of Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12608 – moby: cert signing bypass
https://notcve.org/view.php?id=CVE-2018-12608
10 Sep 2018 — An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate. Se ha descubierto un problema en Docker Moby, en versiones anteriores a la 17.06.0. EL motor Docker validó el certificado TLS del... • https://github.com/moby/moby/pull/33182 • CWE-295: Improper Certificate Validation •