Critical docker engine flaw allows attackers to bypass authorization plugins

lkapilcloud · July 25, 2024, 6:33am

Tracked as CVE-2024-41110, the bypass and privilege escalation vulnerability carries a CVSS score of 10.0, indicating maximum severity.

“An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly,” the Moby Project maintainers said in an advisory.

Have anyone any info about is it resolved or not?

bluepuma77 · July 25, 2024, 6:40am

It’s right on the page you linked:

Patched versions
. > v23.0.14, > v26.1.4, > v27.1.0

meyay · July 25, 2024, 6:43am

Even though it should be obvious, I will still mention it:
Only installations that actually use an AuthZ plugin are affected .

Topic		Replies	Views
Authorization plugins - passing user credentials General	2	1227	March 14, 2016
Is Docker Engine 25.0.6 patch expected? General docker	3	536	August 1, 2024
How to implement Docker Authentication? General	1	1455	April 19, 2016
Official containers and security CVE issues General dockersecurityscan , security	0	829	July 4, 2017
How to deny use of --privileged or --cap-add options? General	3	2705	April 11, 2016

Critical docker engine flaw allows attackers to bypass authorization plugins

Related topics