CVE-2022-36109

Public on 2022-09-09

Modified on 2024-01-12

Description

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.

Severity

Low

See what this means

CVSS v3 Base Score

6.3

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2023	containerd	2023-02-17 20:46	ALAS2023-2023-079
Amazon Linux 2 - Docker Extra	docker	2023-04-27 17:43	ALAS2DOCKER-2023-024
Amazon Linux 2 - Docker Extra	docker	2023-03-30 22:07	ALAS2DOCKER-2023-022
Amazon Linux 2 - Ecs Extra	docker	2023-10-18 22:01	ALAS2ECS-2023-013
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra	docker	2023-03-30 22:07	ALAS2NITRO-ENCLAVES-2023-022
Amazon Linux 2023	docker	2023-03-20 18:27	ALAS2023-2023-143

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
NVD	CVSSv3	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

Red Hat: CVE-2022-36109 Mitre: CVE-2022-36109 FAQs regarding Amazon Linux ALAS/CVE Severity

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

CVE-2022-36109

Affected Packages

CVSS Scores

References