CVE-2018-12608

CWE-295 — Improper Certificate Validation CWE-2887 documents6 sources

Severity

7.5HIGH

EPSS

0.4%

top 36.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Docker/docker Mobyproject Moby

Timeline

PublishedSep 10

Latest updateJan 31

Description

An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Gogithub.com/docker/docker< 17.06.0-ce

▶Debiandocker.io< 18.03.1+dfsg1-2+3

▶NVDmobyproject/moby< 17.06.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Docker Authentication Bypass↗2024-01-31

▶

OSV

Docker Authentication Bypass↗2024-01-31

▶

CVEList

CVE-2018-12608: An issue was discovered in Docker Moby before 17↗2018-09-10

▶

OSV

CVE-2018-12608: An issue was discovered in Docker Moby before 17↗2018-09-10

▶

📋Vendor Advisories

Red Hat

moby: cert signing bypass↗2018-10-09

▶

Debian

CVE-2018-12608: docker.io - An issue was discovered in Docker Moby before 17.06.0. The Docker engine validat...↗2018

▶