Vulnerability Details : CVE-2022-36109
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
Vulnerability category: Execute code
Products affected by CVE-2022-36109
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36109
0.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-36109
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
NIST | |
|
5.3
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
1.8
|
3.4
|
GitHub, Inc. | 2025-01-17 |
|
6.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
GitHub, Inc. |
CWE ids for CVE-2022-36109
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2022-36109
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/
[SECURITY] Fedora 37 Update: moby-engine-20.10.18-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
Security vulnerability relating to supplementary group permissions · Advisory · moby/moby · GitHubThird Party Advisory
-
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation
Vulnerability in Linux containers – investigation and mitigation – Bentham’s Gaze
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU
[SECURITY] Fedora 37 Update: moby-engine-20.10.18-1.fc37 - package-announce - Fedora mailing-lists
-
https://github.com/moby/moby/releases/tag/v20.10.18
Release v20.10.18 · moby/moby · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/
[SECURITY] Fedora 36 Update: moby-engine-20.10.18-1.fc36 - package-announce - Fedora mailing-lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ
[SECURITY] Fedora 36 Update: moby-engine-20.10.18-1.fc36 - package-announce - Fedora mailing-lists
-
https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
Merge pull request from GHSA-rc4r-wh2q-q6c4 · moby/moby@de7af81 · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7JL2QA3RB732MLJ3RMUXB3IB7AA22YU/
[SECURITY] Fedora 37 Update: moby-engine-20.10.18-1.fc37 - package-announce - Fedora mailing-lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/
[SECURITY] Fedora 36 Update: moby-engine-20.10.18-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to