CVE-2018-12608
moby: cert signing bypass
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.
Se ha descubierto un problema en Docker Moby, en versiones anteriores a la 17.06.0. EL motor Docker validó el certificado TLS del cliente mediante el certificado root del CA del cliente configurado y todos los roots del sistema en sistemas que no son Windows. Esto permitió que un cliente con cualquier certificado de dominio validado por una CA root en la que confía el sistema (al contrario que otro firmado por la CA root configurada) para autenticarse
A certificate signing vulnerability was found in Moby. This issue could allow an unauthenticated remote attacker to validate a TLS certificate using Certificate Authorities (CA) from the system instead of only by a specified client CA root, which could allow bypassing of some certificate authorization rules, reducing system integrity.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-06-21 CVE Reserved
- 2018-09-10 CVE Published
- 2024-07-20 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/moby/moby/pull/33182 | 2018-11-19 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2018-12608 | 2024-08-07 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2275812 | 2024-08-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mobyproject Search vendor "Mobyproject" | Moby Search vendor "Mobyproject" for product "Moby" | < 17.06.0 Search vendor "Mobyproject" for product "Moby" and version " < 17.06.0" | - |
Affected
|