CVE-2022-36109

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.  This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
GitHub_MCNA
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
VendorProductVersion
mobyprojectmoby
𝑥
< 20.10.18
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
docker.io
bullseye
no-dsa
buster
no-dsa
bullseye (security)
vulnerable
bookworm
20.10.24+dfsg1-1
fixed
sid
26.1.5+dfsg1-4
fixed
trixie
26.1.5+dfsg1-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
docker.io
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
Fixed 20.10.21-0ubuntu1~22.04.1
released
focal
Fixed 20.10.21-0ubuntu1~20.04.1
released
bionic
Fixed 20.10.21-0ubuntu1~18.04.1
released
xenial
needed
trusty
ignored
Common Weakness Enumeration
References
https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
https://github.com/moby/moby/releases/tag/v20.10.18
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation
https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
https://github.com/moby/moby/releases/tag/v20.10.18
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/