Github.Com Docker Docker vulnerabilities

CVE-2025-54388 [MEDIUM] CWE-909 Moby firewalld reload makes published container ports accessible from remote hosts Moby firewalld reload makes published container ports accessible from remote hosts Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referr

CVE-2025-54410 [LOW] CWE-909 Moby firewalld reload removes bridge network isolation Moby firewalld reload removes bridge network isolation Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referred to as Docker, or Docker Engine. Firewalld is a daemon u

CVE-2024-41110 [CRITICAL] CWE-187 Authz zero length regression Authz zero length regression A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass [authorization plugins (AuthZ)](https://docs.docker.com/engine/extend/plugins_authorization/) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacte

CVE-2021-41089 [LOW] CWE-281 `docker cp` allows unexpected chmod of host files in Moby Docker Engine `docker cp` allows unexpected chmod of host files in Moby Docker Engine ## Impact A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed with

CVE-2022-24769 [MEDIUM] CWE-732 Moby (Docker Engine) started with non-empty inheritable Linux process capabilities Moby (Docker Engine) started with non-empty inheritable Linux process capabilities ### Impact A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set durin

CVE-2024-32473 [MEDIUM] CWE-668 IPv6 enabled on IPv4-only network interfaces IPv6 enabled on IPv4-only network interfaces In 26.0.0 and 26.0.1, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. ### Impact A container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, with IPv6 enabled: - Containers may be able to communicate with other

CVE-2024-29018 [MEDIUM] CWE-669 Moby's external DNS requests from 'internal' networks could lead to data exfiltration Moby's external DNS requests from 'internal' networks could lead to data exfiltration Moby is an open source container framework originally developed by Docker Inc. as Docker. It is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. As a batteries-included container runtime, Moby comes with a built-in networking implementa

CVE-2024-24557 [MEDIUM] CWE-345 Classic builder cache poisoning Classic builder cache poisoning The classic builder cache system is prone to cache poisoning if the image is built `FROM scratch`. Also, changes to some instructions (most important being `HEALTHCHECK` and `ONBUILD`) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candida

CVE-2018-12608 [HIGH] CWE-288 Docker Authentication Bypass Docker Authentication Bypass An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.

CVE-2021-41091 [MEDIUM] CWE-281 Moby (Docker Engine) Insufficiently restricted permissions on data directory Moby (Docker Engine) Insufficiently restricted permissions on data directory ## Impact A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable progr

CVE-2020-27534 [MEDIUM] CWE-22 Path Traversal in Moby builder Path Traversal in Moby builder util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.

CVE-2023-28840 [HIGH] CWE-420 Docker Swarm encrypted overlay network may be unauthenticated Docker Swarm encrypted overlay network may be unauthenticated [Moby](https://mobyproject.org/) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referred to as *Docker*. S

CVE-2023-28842 [MEDIUM] CWE-420 Docker Swarm encrypted overlay network with a single endpoint is unauthenticated Docker Swarm encrypted overlay network with a single endpoint is unauthenticated [Moby](https://mobyproject.org/) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as [moby/moby](https://github.com/moby/moby)

CVE-2023-28841 [MEDIUM] CWE-311 Docker Swarm encrypted overlay network traffic may be unencrypted Docker Swarm encrypted overlay network traffic may be unencrypted [Moby](https://mobyproject.org/) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as [moby/moby](https://github.com/moby/moby) is commonly referred to as *D

CVE-2022-36109 [MEDIUM] CWE-863 Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manip

CVE-2019-14271 [CRITICAL] CWE-665 Moby Docker cp broken with debian containers Moby Docker cp broken with debian containers In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

CVE-2019-13509 [HIGH] CWE-532 Secret insertion into debug log in Docker Secret insertion into debug log in Docker In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.

CVE-2014-9357 [HIGH] CWE-285 Arbitrary Code Execution Arbitrary Code Execution Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.

CVE-2014-6407 [HIGH] CWE-59 Arbitrary Code Execution in Docker Arbitrary Code Execution in Docker Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.

CVE-2015-3629 [HIGH] CWE-59 Arbitrary File Write in Libcontainer Arbitrary File Write in Libcontainer Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization ("mount namespace breakout") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container.