x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110

[GoVulnBot]

Advisory CVE-2024-41110 references a vulnerability in the following Go modules:

Module
github.com/moby/moby

Description:
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.

Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had bee...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41110
• FIX: moby/moby@411e817
• FIX: moby/moby@42f40b1
• FIX: moby/moby@65cc597
• FIX: moby/moby@852759a
• FIX: moby/moby@a312606
• FIX: moby/moby@a79fabb
• FIX: moby/moby@ae160b4
• FIX: moby/moby@ae2b366
• FIX: moby/moby@cc13f95
• FIX: moby/moby@fc274cd
• WEB: GHSA-v23v-6jw2-98fq
• WEB: https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin

Cross references:

• github.com/moby/moby appears in 21 other report(s):
  • data/excluded/GO-2022-0390.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-24769 #390) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-0638.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-8fvr-5rqf-3wwh #638) NOT_IMPORTABLE
  • data/excluded/GO-2022-0708.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v4h8-794j-g8mm #708) NOT_IMPORTABLE
  • data/excluded/GO-2022-0751.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vj3f-3286-r4pf #751) NOT_IMPORTABLE
  • data/excluded/GO-2022-0985.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-36109 #985) NOT_IMPORTABLE
  • data/excluded/GO-2022-1107.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vp35-85q5-9f25 #1107) NOT_IMPORTABLE
  • data/excluded/GO-2023-1699.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28840 #1699) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1700.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28841 #1700) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1701.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28842 #1701) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2199.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2017-16539 #2199) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2207.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-10892 #2207) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2209.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-12608 #2209) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2212.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-15664 #2212) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2236.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2019-13139 #2236) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2316.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21284 #2316) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2317.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21285 #2317) LEGACY_FALSE_POSITIVE
  • data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 #2500)
  • data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 #2512)
  • data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 #2521)
  • data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 #2913)
  • data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 #2914)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/moby/moby
      vulnerable_at: 27.1.1+incompatible
summary: CVE-2024-41110 in github.com/moby/moby
cves:
    - CVE-2024-41110
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41110
    - fix: https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191
    - fix: https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
    - fix: https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
    - fix: https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b
    - fix: https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0
    - fix: https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1
    - fix: https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00
    - fix: https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f
    - fix: https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801
    - fix: https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb
    - web: https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
    - web: https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin
source:
    id: CVE-2024-41110
    created: 2024-07-24T18:01:20.423262654Z
review_status: UNREVIEWED

[jiridudekusy]

Please add this vulnerability to the database.

[gopherbot]

Change https://go.dev/cl/601387 mentions this issue: data/reports: add GO-2024-3005