Incorrect Authorization Affecting github.com/moby/moby/pkg/authorization package, versions >=19.3.0-beta1 <25.0.6 >=26.0.0 <26.1.5 >=27.0.0-rc.1 <27.1.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMMOBYMOBYPKGAUTHORIZATION-7573312
- published 30 Jul 2024
- disclosed 29 Jul 2024
- credit Cory Snider
Introduced: 29 Jul 2024
CVE-2024-41110 Open this link in a new tabHow to fix?
Upgrade github.com/moby/moby/pkg/authorization to version 25.0.6, 26.1.5, 27.1.1 or higher.
Overview
Affected versions of this package are vulnerable to Incorrect Authorization using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly if not set to deny by default
Note:
- Users with access to the Docker daemon can execute any Docker command, authorization plugins (AuthZ), approve or deny requests to the Docker daemon based on authentication and command context.
A security issue was discovered where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1, the fix was not carried forward to later versions, resulting in a regression.
- Users of Docker Engine v19.03.x and later versions who do not rely on authorization plugins to make access control decisions and users of all versions of Mirantis Container Runtime and users of Docker commercial products and internal infrastructure who do not rely on
AuthZplugins are unaffected.
Workaround
Restrict access to the Docker API to trusted parties, following the principle of least privilege.