Security News > 2024 > July > Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins
Docker is warning of a critical flaw impacting certain versions of Docker Engine that could allow an attacker to sidestep authorization plugins under specific circumstances.
"An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly," the Moby Project maintainers said in an advisory.
Docker said the issue is a regression in that the issue was originally discovered in 2018 and addressed in Docker Engine v18.09.1 in January 2019, but never got carried over to subsequent versions.
The following versions of Docker Engine are impacted assuming AuthZ is used to make access control decisions -.
"Users of Docker Engine v19.03.x and later versions who do not rely on authorization plugins to make access control decisions and users of all versions of Mirantis Container Runtime are not vulnerable," Docker's Gabriela Georgieva said.
"Users of Docker commercial products and internal infrastructure who do not rely on AuthZ plugins are unaffected."
News URL
https://thehackernews.com/2024/07/critical-docker-engine-flaw-allows.html
Related news
- Docker fixes critical 5-year old authentication bypass flaw (source)
- Docker fixes critical auth bypass flaw, again (CVE-2024-41110) (source)
- Exploit for critical Progress Telerik auth bypass released, patch now (source)
- Exploit for critical Veeam auth bypass available, patch now (source)
- ASUS warns of critical remote authentication bypass on 7 routers (source)
- ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models (source)
- Hackers target new MOVEit Transfer critical auth bypass bug (source)
- You should probably fix this 5-year-old critical Docker vuln fairly sharpish (source)