cbcvebase.
CVE-2024-41110
published 2024-07-24

CVE-2024-41110: Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker…

PriorityP277critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
16.50%
96.6th percentile
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.

Affected

29 ranges· showing 25
VendorProductVersion rangeFixed in
debiandocker.io< docker.io 20.10.24+dfsg1-1+deb12u1 (bookworm)docker.io 20.10.24+dfsg1-1+deb12u1 (bookworm)
github.comdocker_docker>= 19.03.0 < 23.0.1523.0.15
github.comdocker_docker>= 20.10.0+incompatible < 25.0.6+incompatible25.0.6+incompatible
github.comdocker_docker>= 24.0.0 < 25.0.625.0.6
github.comdocker_docker>= 26.0.0 < 26.1.526.1.5
github.comdocker_docker>= 26.0.0+incompatible < 26.1.5+incompatible26.1.5+incompatible
github.comdocker_docker>= 27.0.0 < 27.1.127.1.1
github.comdocker_docker>= 27.0.0+incompatible < 27.1.1+incompatible27.1.1+incompatible
github.commoby_moby>= 20.10.0+incompatible < 25.0.6+incompatible25.0.6+incompatible
github.commoby_moby>= 26.0.0+incompatible < 26.1.5+incompatible26.1.5+incompatible
github.commoby_moby>= 27.0.0+incompatible < 27.1.1+incompatible27.1.1+incompatible
github.commoby_moby_v2>= 0 < 2.0.0-beta.82.0.0-beta.8
mobymoby
mobymoby
mobymoby
mobymoby
mobymoby
mobymoby
mobymoby
mobymoby
mobymoby
msrcazl3_moby-engine_25.0.3-13_on_azure_linux_3.0
msrcazl3_moby-engine_25.0.3-5_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for Docker API requests that are forwarded to AuthZ plugins without a body — the plugin receives a bodyless request it may incorrectly allow
  • Flag Docker Engine versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0 running with AuthZ plugins as vulnerable
  • Alert on privilege escalation actions (e.g., privileged container creation) that follow Docker API calls, especially when AuthZ plugins are in use
  • Docker Desktop v4.32.0 contains a vulnerable Docker Engine; monitor for Docker API access attempts on systems running this version, noting exploitation is limited to the VM scope
  • ·Docker EE v19.03.x and all versions of Mirantis Container Runtime are NOT vulnerable to CVE-2024-41110
  • ·Only users who rely on AuthZ plugins for access control are impacted; users without AuthZ plugins are not affected regardless of Docker Engine version
  • ·The vulnerability is a regression — the original fix was applied in Docker Engine v18.09.1 (January 2019) but was not carried forward to later major versions
  • ·Patched versions are docker-ce v27.1.1 and branches 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1; Docker Desktop fix is in v4.33.0 (not yet released at time of advisory)

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa9.9CRITICAL
osv9.9CRITICAL
vendor_debian9.9CRITICAL
vendor_msrc9.9CRITICAL
vendor_redhat9.9CRITICAL
vendor_ubuntu5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.