x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-q59j-vv4j-v33c

[GoVulnBot]

Advisory GHSA-q59j-vv4j-v33c references a vulnerability in the following Go modules:

Module
github.com/moby/moby

Description:
moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.

References:

• ADVISORY: GHSA-q59j-vv4j-v33c
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-36620
• FIX: moby/moby@ab570ab
• WEB: https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2
• WEB: https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48

Cross references:

• github.com/moby/moby appears in 16 other report(s):
  • data/excluded/GO-2023-2199.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2017-16539 #2199) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2207.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-10892 #2207) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2209.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-12608 #2209) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2212.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-15664 #2212) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2236.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2019-13139 #2236) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2316.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21284 #2316) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2317.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21285 #2317) LEGACY_FALSE_POSITIVE
  • data/reports/GO-2022-0390.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-24769 #390)
  • data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 #2500)
  • data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 #2512)
  • data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 #2521)
  • data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 #2913)
  • data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 #2914)
  • data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 #3005)
  • data/reports/GO-2024-3304.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-2mj3-vfvx-fc43 #3304)
  • data/reports/GO-2024-3305.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-gh5c-3h97-2f3q #3305)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/moby/moby
      versions:
        - introduced: 25.0.0+incompatible
        - fixed: 26.1.0+incompatible
      vulnerable_at: 26.0.2+incompatible
summary: NULL Pointer Dereference on moby image history in github.com/moby/moby
cves:
    - CVE-2024-36620
ghsas:
    - GHSA-q59j-vv4j-v33c
references:
    - advisory: https://github.com/advisories/GHSA-q59j-vv4j-v33c
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36620
    - fix: https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4
    - web: https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2
    - web: https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48
source:
    id: GHSA-q59j-vv4j-v33c
    created: 2024-12-04T23:02:07.394638618Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/634615 mentions this issue: data/reports: add 3 reports