CVE-2024-41110Partial String Comparison in Docker Docker

CWE-187Partial String ComparisonCWE-444HTTP Request SmugglingCWE-863Incorrect AuthorizationCWE-807Reliance on Untrusted Inputs in a Security DecisionCWE-288Authentication Bypass Using an Alternate Path or Channel16 documents9 sources
Severity
9.9CRITICALNVD
OSV7.5
EPSS
4.0%
top 11.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Docker DockerGithub.com Moby MobyMoby
Timeline
PublishedJul 24
Latest updateMar 27

Description

Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages3 packages

Gogithub.com/docker_docker19.03.023.0.15+6
Gogithub.com/moby_moby20.10.0+incompatible25.0.6+incompatible+2
CVEListV5moby/moby9 versions+8

🔴Vulnerability Details

8
GHSA
Moby has AuthZ plugin bypass when provided oversized request bodies2026-03-27
OSV
Docker vulnerability2025-04-15
OSV
Docker vulnerabilities2025-02-18
GHSA
Authz zero length regression2024-07-30
OSV
Authz zero length regression2024-07-30

📋Vendor Advisories

6
Ubuntu
Docker vulnerability2025-04-15
Ubuntu
Docker vulnerabilities2025-02-18
Ubuntu
Docker vulnerabilities2024-12-16
Red Hat
moby: Authz zero length regression2024-07-23
Microsoft
Moby authz zero length regression2024-07-09
CVE-2024-41110 — Partial String Comparison | cvebase