CVE-2022-27652 – cri-o: Default inheritable capabilities for linux container should be empty
https://notcve.org/view.php?id=CVE-2022-27652
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. Se ha encontrado un fallo en cri-o, donde los contenedores eran iniciados incorrectamente con permisos por defecto no vacíos. Se ha encontrado una vulnerabilidad en Moby (Docker Engine) donde los contenedores se iniciaban incorrectamente con capacidades de proceso Linux heredables no vacías. • https://bugzilla.redhat.com/show_bug.cgi?id=2066839 https://github.com/cri-o/cri-o/security/advisories/GHSA-4hj2-r2pm-3hc6 https://access.redhat.com/security/cve/CVE-2022-27652 • CWE-276: Incorrect Default Permissions •
CVE-2022-24769 – Default inheritable capabilities for linux container should be empty
https://notcve.org/view.php?id=CVE-2022-24769
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. • http://www.openwall.com/lists/oss-security/2022/05/12/1 https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f https://github.com/moby/moby/releases/tag/v20.10.14 https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG https://lists.fedo • CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2021-41089 – `docker cp` allows unexpected chmod of host files
https://notcve.org/view.php?id=CVE-2021-41089
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. • https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB • CWE-281: Improper Preservation of Permissions •
CVE-2021-41091 – Insufficiently restricted permissions on data directory in Docker Engine
https://notcve.org/view.php?id=CVE-2021-41091
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. • https://github.com/UncleJ4ck/CVE-2021-41091 https://github.com/jrbH4CK/CVE-2021-41091 https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64 https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6 • CWE-281: Improper Preservation of Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2018-12608 – moby: cert signing bypass
https://notcve.org/view.php?id=CVE-2018-12608
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate. Se ha descubierto un problema en Docker Moby, en versiones anteriores a la 17.06.0. EL motor Docker validó el certificado TLS del cliente mediante el certificado root del CA del cliente configurado y todos los roots del sistema en sistemas que no son Windows. • https://github.com/moby/moby/pull/33182 https://access.redhat.com/security/cve/CVE-2018-12608 https://bugzilla.redhat.com/show_bug.cgi?id=2275812 • CWE-295: Improper Certificate Validation •