github.com/docker/docker: GHSA-v23v-6jw2-98fq, CVE-2024-41110

[tatianab]

Advisory GHSA-v23v-6jw2-98fq references a vulnerability in the following Go modules:

Module
github.com/docker/docker
github.com/docker/docker
github.com/docker/docker
github.com/docker/docker

Description:
A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users.

Impact

Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an [authorization plugin](https://docs.docker.com/engi...

References:

• ADVISORY: GHSA-v23v-6jw2-98fq
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41110
• WEB: moby/moby@411e817
• WEB: moby/moby@42f40b1
• WEB: moby/moby@65cc597
• WEB: moby/moby@852759a
• WEB: moby/moby@a312606
• WEB: moby/moby@a79fabb
• WEB: moby/moby@ae160b4
• WEB: moby/moby@ae2b366
• WEB: moby/moby@cc13f95
• WEB: moby/moby@fc274cd
• WEB: https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin

!! Possible duplicate report !!

• CVE-2024-41110 appears in 1 other report(s):
  • data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 golang/vulndb#3005)

Cross references:

• github.com/docker/docker appears in 72 other report(s):
  • data/excluded/GO-2022-0625.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-44gg-pmqr-4669 golang/vulndb#625) NOT_IMPORTABLE
  • data/excluded/GO-2022-0630.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-5qgp-p5jc-w2rm golang/vulndb#630) NOT_IMPORTABLE
  • data/excluded/GO-2022-0636.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-8w94-cf6g-c8mg golang/vulndb#636) NOT_IMPORTABLE
  • data/excluded/GO-2022-0640.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-997c-fj8j-rq5h golang/vulndb#640) NOT_IMPORTABLE
  • data/excluded/GO-2022-0647.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g44j-7vp3-68cv golang/vulndb#647) NOT_IMPORTABLE
  • data/excluded/GO-2022-0649.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g7v2-2qxx-wjrw golang/vulndb#649) NOT_IMPORTABLE
  • data/excluded/GO-2022-0705.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-qmmc-jppf-32wv golang/vulndb#705) NOT_IMPORTABLE
  • data/excluded/GO-2022-0752.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-wxj3-qwv4-cvfm golang/vulndb#752) NOT_IMPORTABLE
  • data/excluded/GO-2023-2013.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-j249-ghv5-7mxv golang/vulndb#2013) NOT_IMPORTABLE
  • data/excluded/GO-2023-2161.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-jq35-85cj-fj4p golang/vulndb#2161) NOT_IMPORTABLE
  • data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 golang/vulndb#2500)
  • data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 golang/vulndb#2512)
  • data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 golang/vulndb#2521)
  • data/reports/GO-2024-2659.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-mq39-4gv4-mvpx golang/vulndb#2659)
  • data/reports/GO-2024-2737.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-32473 golang/vulndb#2737)
  • data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 golang/vulndb#2913)
  • data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 golang/vulndb#2914)
  • data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 golang/vulndb#3005)
  • data/excluded/GO-2022-0625.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-44gg-pmqr-4669 golang/vulndb#625) NOT_IMPORTABLE
  • data/excluded/GO-2022-0630.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-5qgp-p5jc-w2rm golang/vulndb#630) NOT_IMPORTABLE
  • data/excluded/GO-2022-0636.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-8w94-cf6g-c8mg golang/vulndb#636) NOT_IMPORTABLE
  • data/excluded/GO-2022-0640.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-997c-fj8j-rq5h golang/vulndb#640) NOT_IMPORTABLE
  • data/excluded/GO-2022-0647.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g44j-7vp3-68cv golang/vulndb#647) NOT_IMPORTABLE
  • data/excluded/GO-2022-0649.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g7v2-2qxx-wjrw golang/vulndb#649) NOT_IMPORTABLE
  • data/excluded/GO-2022-0705.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-qmmc-jppf-32wv golang/vulndb#705) NOT_IMPORTABLE
  • data/excluded/GO-2022-0752.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-wxj3-qwv4-cvfm golang/vulndb#752) NOT_IMPORTABLE
  • data/excluded/GO-2023-2013.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-j249-ghv5-7mxv golang/vulndb#2013) NOT_IMPORTABLE
  • data/excluded/GO-2023-2161.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-jq35-85cj-fj4p golang/vulndb#2161) NOT_IMPORTABLE
  • data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 golang/vulndb#2500)
  • data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 golang/vulndb#2512)
  • data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 golang/vulndb#2521)
  • data/reports/GO-2024-2659.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-mq39-4gv4-mvpx golang/vulndb#2659)
  • data/reports/GO-2024-2737.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-32473 golang/vulndb#2737)
  • data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 golang/vulndb#2913)
  • data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 golang/vulndb#2914)
  • data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 golang/vulndb#3005)
  • data/excluded/GO-2022-0625.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-44gg-pmqr-4669 golang/vulndb#625) NOT_IMPORTABLE
  • data/excluded/GO-2022-0630.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-5qgp-p5jc-w2rm golang/vulndb#630) NOT_IMPORTABLE
  • data/excluded/GO-2022-0636.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-8w94-cf6g-c8mg golang/vulndb#636) NOT_IMPORTABLE
  • data/excluded/GO-2022-0640.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-997c-fj8j-rq5h golang/vulndb#640) NOT_IMPORTABLE
  • data/excluded/GO-2022-0647.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g44j-7vp3-68cv golang/vulndb#647) NOT_IMPORTABLE
  • data/excluded/GO-2022-0649.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g7v2-2qxx-wjrw golang/vulndb#649) NOT_IMPORTABLE
  • data/excluded/GO-2022-0705.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-qmmc-jppf-32wv golang/vulndb#705) NOT_IMPORTABLE
  • data/excluded/GO-2022-0752.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-wxj3-qwv4-cvfm golang/vulndb#752) NOT_IMPORTABLE
  • data/excluded/GO-2023-2013.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-j249-ghv5-7mxv golang/vulndb#2013) NOT_IMPORTABLE
  • data/excluded/GO-2023-2161.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-jq35-85cj-fj4p golang/vulndb#2161) NOT_IMPORTABLE
  • data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 golang/vulndb#2500)
  • data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 golang/vulndb#2512)
  • data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 golang/vulndb#2521)
  • data/reports/GO-2024-2659.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-mq39-4gv4-mvpx golang/vulndb#2659)
  • data/reports/GO-2024-2737.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-32473 golang/vulndb#2737)
  • data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 golang/vulndb#2913)
  • data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 golang/vulndb#2914)
  • data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 golang/vulndb#3005)
  • data/excluded/GO-2022-0625.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-44gg-pmqr-4669 golang/vulndb#625) NOT_IMPORTABLE
  • data/excluded/GO-2022-0630.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-5qgp-p5jc-w2rm golang/vulndb#630) NOT_IMPORTABLE
  • data/excluded/GO-2022-0636.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-8w94-cf6g-c8mg golang/vulndb#636) NOT_IMPORTABLE
  • data/excluded/GO-2022-0640.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-997c-fj8j-rq5h golang/vulndb#640) NOT_IMPORTABLE
  • data/excluded/GO-2022-0647.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g44j-7vp3-68cv golang/vulndb#647) NOT_IMPORTABLE
  • data/excluded/GO-2022-0649.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g7v2-2qxx-wjrw golang/vulndb#649) NOT_IMPORTABLE
  • data/excluded/GO-2022-0705.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-qmmc-jppf-32wv golang/vulndb#705) NOT_IMPORTABLE
  • data/excluded/GO-2022-0752.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-wxj3-qwv4-cvfm golang/vulndb#752) NOT_IMPORTABLE
  • data/excluded/GO-2023-2013.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-j249-ghv5-7mxv golang/vulndb#2013) NOT_IMPORTABLE
  • data/excluded/GO-2023-2161.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-jq35-85cj-fj4p golang/vulndb#2161) NOT_IMPORTABLE
  • data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 golang/vulndb#2500)
  • data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 golang/vulndb#2512)
  • data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 golang/vulndb#2521)
  • data/reports/GO-2024-2659.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-mq39-4gv4-mvpx golang/vulndb#2659)
  • data/reports/GO-2024-2737.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-32473 golang/vulndb#2737)
  • data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 golang/vulndb#2913)
  • data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 golang/vulndb#2914)
  • data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 golang/vulndb#3005)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/docker/docker
      non_go_versions:
        - introduced: 19.03.0
        - fixed: 23.0.14
      vulnerable_at: 27.1.1+incompatible
    - module: github.com/docker/docker
      versions:
        - introduced: 24.0.0+incompatible
        - fixed: 25.0.6+incompatible
      vulnerable_at: 25.0.5+incompatible
    - module: github.com/docker/docker
      versions:
        - introduced: 26.0.0+incompatible
        - fixed: 26.1.4+incompatible
      vulnerable_at: 26.1.3+incompatible
    - module: github.com/docker/docker
      versions:
        - introduced: 27.0.0+incompatible
        - fixed: 27.1.0+incompatible
      vulnerable_at: 27.0.3+incompatible
summary: Authz zero length regression in github.com/docker/docker
cves:
    - CVE-2024-41110
ghsas:
    - GHSA-v23v-6jw2-98fq
references:
    - advisory: https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41110
    - web: https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191
    - web: https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
    - web: https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
    - web: https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b
    - web: https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0
    - web: https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1
    - web: https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00
    - web: https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f
    - web: https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801
    - web: https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb
    - web: https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin
notes:
    - fix: 'module merge error: could not merge versions of module github.com/docker/docker: invalid or non-canonical semver version (found 19.03.0)'
source:
    id: GHSA-v23v-6jw2-98fq
    created: 2024-08-01T17:10:13.279859-04:00
review_status: UNREVIEWED