Incorrect Authorization Affecting github.com/moby/moby/pkg/authorization package, versions >=19.3.0-beta1 <25.0.6>=26.0.0 <26.1.5>=27.0.0-rc.1 <27.1.1

Affected versions of this package are vulnerable to Incorrect Authorization using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly if not set to deny by default

Note:

1. Users with access to the Docker daemon can execute any Docker command, authorization plugins (AuthZ), approve or deny requests to the Docker daemon based on authentication and command context.

A security issue was discovered where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1, the fix was not carried forward to later versions, resulting in a regression.

2. Users of Docker Engine v19.03.x and later versions who do not rely on authorization plugins to make access control decisions and users of all versions of Mirantis Container Runtime and users of Docker commercial products and internal infrastructure who do not rely on AuthZ plugins are unaffected.

Restrict access to the Docker API to trusted parties, following the principle of least privilege.

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• Security Advisory