CVE-2024-29018
published 2024-03-20CVE-2024-29018: Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.75%
50.3th percentile
Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.
When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs.
Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly.
In addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver.
When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself.
As a consequence of this design, containers sole
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | docker.io | < docker.io 26.1.4+dfsg1-9 (forky) | docker.io 26.1.4+dfsg1-9 (forky) |
| github.com | docker_docker | >= 0 < 23.0.11 | 23.0.11 |
| github.com | docker_docker | >= 25.0.0 < 25.0.5 | 25.0.5 |
| github.com | docker_docker | >= 25.0.0+incompatible < 25.0.5+incompatible | 25.0.5+incompatible |
| github.com | docker_docker | >= 26.0.0-rc1 < 26.0.0-rc3 | 26.0.0-rc3 |
| github.com | docker_docker | >= 26.0.0-rc1+incompatible < 26.0.0-rc3+incompatible | 26.0.0-rc3+incompatible |
| moby | moby | < 23.0.11 | 23.0.11 |
| moby | moby | — | — |
| moby | moby | — | — |
| mobyproject | moby | < 23.0.11 | 23.0.11 |
| mobyproject | moby | — | — |
| mobyproject | moby | >= 24.0.0 < 25.0.5 | 25.0.5 |
| msrc | azl3_moby-engine_25.0.3-13_on_azure_linux_3.0 | — | — |
| msrc | azl3_moby-engine_25.0.3-6_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_moby-engine_24.0.9-16_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_moby-engine_24.0.9-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_msrc7.5HIGH
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
vendor_ubuntu5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Docker vulnerability
vendor_ubuntu·2025-04-15·CVSS 5.9
CVE-2024-41110 [MEDIUM] Docker vulnerability
Title: Docker vulnerability
Summary: docker.io could allow unintended access to network services
USN-7161-1 and USN-7161-2 fixed CVE-2024-41110 for source package
docker.io in Ubuntu 18.04 LTS and for source package docker.io-app in
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 24.10.
This update fixes it for source package docker.io in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 24.10. These updates only
address the docker library and not the docker.io application itself, which
was already patched in the previous USNs (USN-7161-1 and USN-7161-2).
Original advisory details:
Yair Zak discovered that Docker could unexpectedly forward DNS requests
from internal networks in an unexpected manner. An attacker could possibly
use this issue to exfiltrate
Ubuntu
Docker vulnerabilities
vendor_ubuntu·2025-02-18·CVSS 5.9
CVE-2024-29018 [MEDIUM] Docker vulnerabilities
Title: Docker vulnerabilities
Summary: Several security issues were fixed in Docker.
USN-7161-1 fixed CVE-2024-29018 in Ubuntu 24.04 LTS. This update fixes it
for source package docker.io in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and source
package docker.io-app for Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
USN-7161-1 fixed CVE-2024-41110 in Ubuntu 24.10, Ubuntu 24.04 LTS, and
Ubuntu 18.04 LTS. This update fixes it for source package docker.io-app in
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
Original advisory details:
Yair Zak discovered that Docker could unexpectedly forward DNS requests
from internal networks in an unexpected manner. An attacker could possibly
use this issue to exfiltrate data by encoding information in DNS queries
to controlled nameservers. This issue was only addressed for
Ubuntu
Docker vulnerabilities
vendor_ubuntu·2024-12-16·CVSS 5.9
CVE-2024-41110 [MEDIUM] Docker vulnerabilities
Title: Docker vulnerabilities
Summary: Several security issues were fixed in Docker.
Yair Zak discovered that Docker could unexpectedly forward DNS requests
from internal networks in an unexpected manner. An attacker could possibly
use this issue to exfiltrate data by encoding information in DNS queries
to controlled nameservers. This issue was only addressed for the source package
docker.io-app in Ubuntu 24.04 LTS. (CVE-2024-29018)
Cory Snider discovered that Docker did not properly handle authorization
plugin request processing. An attacker could possibly use this issue to
bypass authorization controls by forwarding API requests without their
full body, leading to unauthorized actions. This issue was only addressed for
the source package docker.io-app in Ubuntu 24.10 and Ubuntu 24.04
Red Hat
moby: external DNS requests from 'internal' networks could lead to data exfiltration
vendor_redhat·2024-03-20·CVSS 5.9
CVE-2024-29018 [MEDIUM] CWE-669 moby: external DNS requests from 'internal' networks could lead to data exfiltration
moby: external DNS requests from 'internal' networks could lead to data exfiltration
Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well.
When containers with networ
Microsoft
External DNS requests from 'internal' networks could lead to data exfiltration
vendor_msrc·2024-03-12·CVSS 7.5
CVE-2024-29018 [MEDIUM] CWE-669 External DNS requests from 'internal' networks could lead to data exfiltration
External DNS requests from 'internal' networks could lead to data exfiltration
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Relea
Debian
CVE-2024-29018: docker.io - Moby is an open source container framework that is a key component of Docker Eng...
vendor_debian·2024·CVSS 5.9
CVE-2024-29018 [MEDIUM] CVE-2024-29018: docker.io - Moby is an open source container framework that is a key component of Docker Eng...
Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses. The ho
OSV
Docker vulnerability
osv·2025-04-15·CVSS 7.5
CVE-2024-41110 [HIGH] Docker vulnerability
Docker vulnerability
USN-7161-1 and USN-7161-2 fixed CVE-2024-41110 for source package
docker.io in Ubuntu 18.04 LTS and for source package docker.io-app in
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 24.10.
This update fixes it for source package docker.io in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 24.10. These updates only
address the docker library and not the docker.io application itself, which
was already patched in the previous USNs (USN-7161-1 and USN-7161-2).
Original advisory details:
Yair Zak discovered that Docker could unexpectedly forward DNS requests
from internal networks in an unexpected manner. An attacker could possibly
use this issue to exfiltrate data by encoding information in DNS queries
to controlled nameservers. This
OSV
Docker vulnerabilities
osv·2025-02-18·CVSS 7.5
CVE-2024-29018 [HIGH] Docker vulnerabilities
Docker vulnerabilities
USN-7161-1 fixed CVE-2024-29018 in Ubuntu 24.04 LTS. This update fixes it
for source package docker.io in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and source
package docker.io-app for Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
USN-7161-1 fixed CVE-2024-41110 in Ubuntu 24.10, Ubuntu 24.04 LTS, and
Ubuntu 18.04 LTS. This update fixes it for source package docker.io-app in
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
Original advisory details:
Yair Zak discovered that Docker could unexpectedly forward DNS requests
from internal networks in an unexpected manner. An attacker could possibly
use this issue to exfiltrate data by encoding information in DNS queries
to controlled nameservers. This issue was only addressed for the source package
docker.io-app in Ubuntu 24.04 LTS. (CVE-202
OSV
Docker vulnerabilities
osv·2024-12-16·CVSS 7.5
CVE-2024-29018 [HIGH] Docker vulnerabilities
Docker vulnerabilities
Yair Zak discovered that Docker could unexpectedly forward DNS requests
from internal networks in an unexpected manner. An attacker could possibly
use this issue to exfiltrate data by encoding information in DNS queries
to controlled nameservers. This issue was only addressed for the source package
docker.io-app in Ubuntu 24.04 LTS. (CVE-2024-29018)
Cory Snider discovered that Docker did not properly handle authorization
plugin request processing. An attacker could possibly use this issue to
bypass authorization controls by forwarding API requests without their
full body, leading to unauthorized actions. This issue was only addressed for
the source package docker.io-app in Ubuntu 24.10 and Ubuntu 24.04 LTS,
and the source package docker.io in Ubuntu 18.04 LTS. (CVE
OSV
Data exfiltration from internal networks in github.com/docker/docker
osv·2024-03-22
CVE-2024-29018 Data exfiltration from internal networks in github.com/docker/docker
Data exfiltration from internal networks in github.com/docker/docker
dockerd forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics, networks marked as 'internal' can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.
GHSA
Moby's external DNS requests from 'internal' networks could lead to data exfiltration
ghsa·2024-03-20
CVE-2024-29018 [MEDIUM] CWE-669 Moby's external DNS requests from 'internal' networks could lead to data exfiltration
Moby's external DNS requests from 'internal' networks could lead to data exfiltration
Moby is an open source container framework originally developed by Docker Inc. as Docker. It is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. As a batteries-included container runtime, Moby comes with a built-in networking implementation that enables communication between containers, and between containers and external resources.
Moby's networking implementation allows for creating and using many networks, each with their own subnet and gateway. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters, and thus behaviors. When creating a network, the `--internal` flag is used to
OSV
CVE-2024-29018: Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or r
osv·2024-03-20·CVSS 7.5
CVE-2024-29018 [HIGH] CVE-2024-29018: Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or r
Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses. The ho
OSV
Moby's external DNS requests from 'internal' networks could lead to data exfiltration
osv·2024-03-20
CVE-2024-29018 [MEDIUM] Moby's external DNS requests from 'internal' networks could lead to data exfiltration
Moby's external DNS requests from 'internal' networks could lead to data exfiltration
Moby is an open source container framework originally developed by Docker Inc. as Docker. It is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. As a batteries-included container runtime, Moby comes with a built-in networking implementation that enables communication between containers, and between containers and external resources.
Moby's networking implementation allows for creating and using many networks, each with their own subnet and gateway. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters, and thus behaviors. When creating a network, the `--internal` flag is used to
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-03-20
Published