Moby Mobyproject Moby

Do you want an email whenever new security vulnerabilities are reported in Mobyproject Moby?

By the Year

In 2022 there have been 1 vulnerability in Mobyproject Moby with an average score of 5.3 out of ten. Last year Moby had 2 security vulnerabilities published. Right now, Moby is on track to have less security vulnerabilities in 2022 than it did last year. Last year, the average CVE base score was greater by 1.00

Year Vulnerabilities Average Score
2022 1 5.30
2021 2 6.30
2020 0 0.00
2019 0 0.00
2018 2 6.40

It may take a day or so for new Moby vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Mobyproject Moby Security Vulnerabilities

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions

CVE-2022-27652 5.3 - Medium - April 18, 2022

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Incorrect Default Permissions

Moby is an open-source project created by Docker to enable software containerization

CVE-2021-41089 6.3 - Medium - October 04, 2021

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the hosts filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.

Improper Preservation of Permissions

Moby is an open-source project created by Docker to enable software containerization

CVE-2021-41091 6.3 - Medium - October 04, 2021

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.

Improper Preservation of Permissions

An issue was discovered in Docker Moby before 17.06.0

CVE-2018-12608 7.5 - High - September 10, 2018

An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.

Improper Certificate Validation

The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames

CVE-2018-10892 5.3 - Medium - July 06, 2018

The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Enterprise Linux Server or by Mobyproject? Click the Watch button to subscribe.

Mobyproject
Vendor

subscribe