CVE-2022-36109

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.  This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
Affected Products (NVD)
VendorProductVersion
mobyprojectmoby
𝑥
< 20.10.18
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
docker.io
bookworm
20.10.24+dfsg1-1
fixed
bullseye
no-dsa
bullseye (security)
vulnerable
buster
no-dsa
sid
26.1.5+dfsg1-4
fixed
trixie
26.1.5+dfsg1-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
docker.io
bionic
Fixed 20.10.21-0ubuntu1~18.04.1
released
focal
Fixed 20.10.21-0ubuntu1~20.04.1
released
jammy
Fixed 20.10.21-0ubuntu1~22.04.1
released
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
needed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
containerd
Amazon Linux 2023
0:1.6.8-2.amzn2023.0.3
fixed
containerd-debuginfo
Amazon Linux 2023
0:1.6.8-2.amzn2023.0.3
fixed
containerd-debugsource
Amazon Linux 2023
0:1.6.8-2.amzn2023.0.3
fixed
containerd-stress
Amazon Linux 2023
0:1.6.8-2.amzn2023.0.3
fixed
containerd-stress-debuginfo
Amazon Linux 2023
0:1.6.8-2.amzn2023.0.3
fixed
docker
Amazon Linux 2023
0:20.10.17-1.amzn2023.0.6
fixed
docker-debuginfo
Amazon Linux 2023
0:20.10.17-1.amzn2023.0.6
fixed
docker-debugsource
Amazon Linux 2023
0:20.10.17-1.amzn2023.0.6
fixed