Github.Com Moby Moby vulnerabilities

13 known vulnerabilities affecting github.com/moby_moby.

Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM8UNKNOWN3

Vulnerabilities

Page 1 of 1
CVE-2024-36621HIGH≥ 0, < 26.0.02024-11-29
CVE-2024-36621 [HIGH] CWE-362 Moby Race Condition vulnerability Moby Race Condition vulnerability moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.
ghsaosv
CVE-2024-36623HIGH≥ 0, < 25.0.42024-11-29
CVE-2024-36623 [HIGH] CWE-362 Moby Race Condition vulnerability Moby Race Condition vulnerability moby v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.
ghsaosv
CVE-2024-36620MEDIUM≥ 25.0.0, < 26.1.02024-11-29
CVE-2024-36620 [MEDIUM] CWE-476 NULL Pointer Dereference on moby image history NULL Pointer Dereference on moby image history moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.
ghsaosv
CVE-2024-41110UNKNOWN≥ 20.10.0+incompatible, < 25.0.6+incompatible≥ 26.0.0+incompatible, < 26.1.5+incompatible+1 more2024-07-29
CVE-2024-41110 Moby authz zero length regression in github.com/moby/moby Moby authz zero length regression in github.com/moby/moby Moby authz zero length regression in github.com/moby/moby
osv
CVE-2019-14271UNKNOWN≥ 0, < 20.10.0-beta1+incompatible2024-06-28
CVE-2019-14271 Moby Docker cp broken with debian containers in github.com/docker/docker Moby Docker cp broken with debian containers in github.com/docker/docker In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.
osv
CVE-2021-41089UNKNOWN≥ 0, < 20.10.9+incompatible2024-06-14
CVE-2021-41089 Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker
osv
CVE-2022-24769MEDIUM≥ 0, < 20.10.142024-04-22
CVE-2022-24769 [MEDIUM] CWE-732 Moby (Docker Engine) started with non-empty inheritable Linux process capabilities Moby (Docker Engine) started with non-empty inheritable Linux process capabilities ### Impact A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set durin
ghsaosv
CVE-2024-24557MEDIUM≥ 0, < 24.0.9≥ 25.0.0, < 25.0.22024-02-01
CVE-2024-24557 [MEDIUM] CWE-345 Classic builder cache poisoning Classic builder cache poisoning The classic builder cache system is prone to cache poisoning if the image is built `FROM scratch`. Also, changes to some instructions (most important being `HEALTHCHECK` and `ONBUILD`) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candida
ghsaosv
CVE-2021-41091MEDIUM≥ 0, < 20.10.92024-01-31
CVE-2021-41091 [MEDIUM] CWE-281 Moby (Docker Engine) Insufficiently restricted permissions on data directory Moby (Docker Engine) Insufficiently restricted permissions on data directory ## Impact A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable progr
ghsaosv
CVE-2021-21285MEDIUM≥ 0, < 19.3.15≥ 20.10.0-beta1, < 20.10.32024-01-31
CVE-2021-21285 [MEDIUM] CWE-400 moby docker daemon crash during image pull of malicious image moby docker daemon crash during image pull of malicious image ### Impact Pulling an intentionally malformed Docker image manifest crashes the `dockerd` daemon. ### Patches Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. ### Credits Maintainers would like to thank Josh Larsen, Ian Coldwater, Duffie Cooley, Rory McCune for working on the vulnerability and Brad Ge
ghsaosv
CVE-2021-21284MEDIUM≥ 0, < 19.3.15≥ 20.10.0-beta1, < 20.10.32024-01-31
CVE-2021-21284 [MEDIUM] CWE-22 moby Access to remapped root allows privilege escalation to real root moby Access to remapped root allows privilege escalation to real root ### Impact When using `--userns-remap`, if the root user in the remapped namespace has access to the host filesystem they can modify files under `/var/lib/docker/` that cause writing files with extended privileges. ### Patches Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user
ghsaosv
CVE-2020-27534MEDIUM≥ 0, < 19.03.92024-01-31
CVE-2020-27534 [MEDIUM] CWE-22 Path Traversal in Moby builder Path Traversal in Moby builder util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.
ghsaosv
CVE-2017-16539MEDIUM≥ 0, < 17.12.0-ce2022-05-17
CVE-2017-16539 [MEDIUM] CWE-200 Docker Moby /proc/scsi Path Exposure Allows Host Data Loss (SCSI MICDROP) Docker Moby /proc/scsi Path Exposure Allows Host Data Loss (SCSI MICDROP) The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI
ghsaosv