Security News > 2024 > July > Critical Docker Engine Flaw Allows Attackers to Bypass Authorization Plugins

Docker is warning of a critical flaw impacting certain versions of Docker Engine that could allow an attacker to sidestep authorization plugins under specific circumstances.

"An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly," the Moby Project maintainers said in an advisory.

Docker said the issue is a regression in that the issue was originally discovered in 2018 and addressed in Docker Engine v18.09.1 in January 2019, but never got carried over to subsequent versions.

The following versions of Docker Engine are impacted assuming AuthZ is used to make access control decisions -.

"Users of Docker Engine v19.03.x and later versions who do not rely on authorization plugins to make access control decisions and users of all versions of Mirantis Container Runtime are not vulnerable," Docker's Gabriela Georgieva said.

"Users of Docker commercial products and internal infrastructure who do not rely on AuthZ plugins are unaffected."

News URL

https://thehackernews.com/2024/07/critical-docker-engine-flaw-allows.html