Moby Docker Engine 20.10.17: Group Bypass CVE-2022-36109
CVE-2022-36109 Published on September 9, 2022

Moby vulnerability relating to supplementary group permissions
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.

Github Repository Github Repository NVD

Vulnerability Analysis

CVE-2022-36109 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2022-36109 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2022-36109

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-36109 are published in these products:

Mobyproject Moby
 
Fedora Project Fedora
 
Docker
 

Affected Versions

moby Version < 20.10.18 is affected by CVE-2022-36109

Exploit Probability

EPSS
0.03%
Percentile
8.35%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.