Moby vulnerability relating to supplementary group permissions
CVE-2022-36109

5.3MEDIUM

Key Information:

Vendor
Moby
Status
Moby
Vendor
CVE Published:
9 September 2022

Summary

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the "USER $USERNAME" Dockerfile instruction. Instead by calling ENTRYPOINT ["su", "-", "user"] the supplementary groups will be set up properly.

Affected Version(s)

moby < 20.10.18

References

https://github.com/moby/moby/security/advisories/GHSA-rc4...
x_refsource_CONFIRM
https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06...
x_refsource_MISC
https://github.com/moby/moby/releases/tag/v20.10.18
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2022-36109 : Moby vulnerability relating to supplementary group permissions | SecurityVulnerability.io