CVE-2022-24769
published 2022-03-24CVE-2022-24769: Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version…
PriorityP426medium5.9CVSS 3.1
AVLACLPRNUINSUCLILAL
EPSS
0.49%
38.5th percentile
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| containerd | containerd | >= 0 < 1.4.13~ds1-1~deb11u2 | 1.4.13~ds1-1~deb11u2 |
| containerd | containerd | >= 0 < 1.6.2~ds1-1 | 1.6.2~ds1-1 |
| containerd | containerd | >= 0 < 1.6.2~ds1-1 | 1.6.2~ds1-1 |
| containerd | containerd | >= 0 < 1.6.2~ds1-1 | 1.6.2~ds1-1 |
| containerd | containerd | >= 0 < 1.5.9-0ubuntu1~18.04.2 | 1.5.9-0ubuntu1~18.04.2 |
| containerd | containerd | >= 0 < 1.5.9-0ubuntu1~20.04.6 | 1.5.9-0ubuntu1~20.04.6 |
| containerd | containerd | >= 0 < 1.5.9-0ubuntu3.1 | 1.5.9-0ubuntu3.1 |
| debian | containerd | < containerd 1.6.2~ds1-1 (bookworm) | containerd 1.6.2~ds1-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | docker_docker | >= 0 < 20.10.14 | 20.10.14 |
| github.com | docker_docker | >= 0 < 20.10.14+incompatible | 20.10.14+incompatible |
| github.com | moby_moby | >= 0 < 20.10.14 | 20.10.14 |
| github.com | moby_moby | >= 0 < 20.10.14+incompatible | 20.10.14+incompatible |
| linuxfoundation | runc | < 1.1.2 | 1.1.2 |
| moby | moby | < 20.10.14 | 20.10.14 |
| mobyproject | moby | < 20.10.14 | 20.10.14 |
| msrc | cbl2_moby-runc_1.1.2-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_moby-runc_1.1.2+azure-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv6.5MEDIUM
vendor_debian5.9MEDIUM
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
vendor_ubuntu5.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2022-12-13·CVSS 5.7
CVE-2022-24778 [MEDIUM] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled memory
when receiving certain faulty Exec or ExecSync commands. A remote
attacker could possibly use this issue to cause a denial of service
or crash containerd. (CVE-2022-23471, CVE-2022-31030)
It was discovered that containerd incorrectly set up inheritable file
capabilities. An attacker could possibly use this issue to escalate
privileges inside a container. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24769)
It was discovered that containerd incorrectly handled access to encrypted
container images when using imgcrypt library. A remote attacker could
possibly use this issue to access encrypte
Red Hat
buildah: Default inheritable capabilities for linux container should be empty
vendor_redhat·2022-03-30·CVSS 5.9
CVE-2022-27651 [MEDIUM] CWE-276 buildah: Default inheritable capabilities for linux container should be empty
buildah: Default inheritable capabilities for linux container should be empty
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.
A flaw was found in buildah, where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities. This flaw allows
Red Hat
cri-o: Default inheritable capabilities for linux container should be empty
vendor_redhat·2022-03-30·CVSS 5.9
CVE-2022-27652 [MEDIUM] CWE-276 cri-o: Default inheritable capabilities for linux container should be empty
cri-o: Default inheritable capabilities for linux container should be empty
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritabl
Red Hat
crun: Default inheritable capabilities for linux container should be empty
vendor_redhat·2022-03-30·CVSS 5.9
CVE-2022-27650 [MEDIUM] CWE-276 crun: Default inheritable capabilities for linux container should be empty
crun: Default inheritable capabilities for linux container should be empty
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inher
Red Hat
podman: Default inheritable capabilities for linux container should be empty
vendor_redhat·2022-03-30·CVSS 5.9
CVE-2022-27649 [MEDIUM] CWE-276 podman: Default inheritable capabilities for linux container should be empty
podman: Default inheritable capabilities for linux container should be empty
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs
Red Hat
moby: Default inheritable capabilities for linux container should be empty
vendor_redhat·2022-03-23·CVSS 5.9
CVE-2022-24769 [MEDIUM] CWE-276 moby: Default inheritable capabilities for linux container should be empty
moby: Default inheritable capabilities for linux container should be empty
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable
Microsoft
Default inheritable capabilities for linux container should be empty
vendor_msrc·2022-03-08·CVSS 5.9
CVE-2022-24769 [MEDIUM] CWE-732 Default inheritable capabilities for linux container should be empty
Default inheritable capabilities for linux container should be empty
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Refer
Debian
CVE-2022-24769: containerd - Moby is an open-source project created by Docker to enable and accelerate softwa...
vendor_debian·2022·CVSS 5.9
CVE-2022-24769 [MEDIUM] CVE-2022-24769: containerd - Moby is an open-source project created by Docker to enable and accelerate softwa...
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to add
OSV
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities in github.com/docker/docker
osv·2024-08-21
CVE-2022-24769 Moby (Docker Engine) started with non-empty inheritable Linux process capabilities in github.com/docker/docker
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities in github.com/docker/docker
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities in github.com/docker/docker
OSV
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
osv·2024-04-22
CVE-2022-24769 [MEDIUM] Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
### Impact
A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritabl
GHSA
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
ghsa·2024-04-22
CVE-2022-24769 [MEDIUM] CWE-732 Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
### Impact
A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritabl
OSV
containerd vulnerabilities
osv·2022-12-13·CVSS 6.5
CVE-2022-23471 [MEDIUM] containerd vulnerabilities
containerd vulnerabilities
It was discovered that containerd incorrectly handled memory
when receiving certain faulty Exec or ExecSync commands. A remote
attacker could possibly use this issue to cause a denial of service
or crash containerd. (CVE-2022-23471, CVE-2022-31030)
It was discovered that containerd incorrectly set up inheritable file
capabilities. An attacker could possibly use this issue to escalate
privileges inside a container. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24769)
It was discovered that containerd incorrectly handled access to encrypted
container images when using imgcrypt library. A remote attacker could
possibly use this issue to access encrypted images from other users.
This issue only affected Ubuntu 18.04 LT
OSV
CVE-2022-24769: Moby is an open-source project created by Docker to enable and accelerate software containerization
osv·2022-03-24·CVSS 5.9
CVE-2022-24769 [MEDIUM] CVE-2022-24769: Moby is an open-source project created by Docker to enable and accelerate software containerization
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to add
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2022/05/12/1https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07fhttps://github.com/moby/moby/releases/tag/v20.10.14https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvqhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/https://security.gentoo.org/glsa/202401-31https://www.debian.org/security/2022/dsa-5162http://www.openwall.com/lists/oss-security/2022/05/12/1https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07fhttps://github.com/moby/moby/releases/tag/v20.10.14https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvqhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/https://security.gentoo.org/glsa/202401-31https://www.debian.org/security/2022/dsa-5162
2022-03-24
Published