-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-24769 #390
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
Vulnerability in tool. |
neild
added
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
and removed
NotGoVuln
labels
Aug 11, 2022
This was referenced Apr 4, 2023
This was referenced Nov 8, 2023
This was referenced Feb 1, 2024
Change https://go.dev/cl/592767 mentions this issue: |
Change https://go.dev/cl/607217 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2022-0367.yaml - data/reports/GO-2022-0368.yaml - data/reports/GO-2022-0369.yaml - data/reports/GO-2022-0372.yaml - data/reports/GO-2022-0374.yaml - data/reports/GO-2022-0375.yaml - data/reports/GO-2022-0377.yaml - data/reports/GO-2022-0378.yaml - data/reports/GO-2022-0381.yaml - data/reports/GO-2022-0387.yaml - data/reports/GO-2022-0388.yaml - data/reports/GO-2022-0389.yaml - data/reports/GO-2022-0390.yaml - data/reports/GO-2022-0392.yaml - data/reports/GO-2022-0393.yaml - data/reports/GO-2022-0395.yaml - data/reports/GO-2022-0396.yaml - data/reports/GO-2022-0398.yaml - data/reports/GO-2022-0405.yaml - data/reports/GO-2022-0406.yaml Updates #367 Updates #368 Updates #369 Updates #372 Updates #374 Updates #375 Updates #377 Updates #378 Updates #381 Updates #387 Updates #388 Updates #389 Updates #390 Updates #392 Updates #393 Updates #395 Updates #396 Updates #398 Updates #405 Updates #406 Change-Id: I001f245aa4d9225668c2b30e3d5b4ca7a7e9b3b3 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607217 Commit-Queue: Tatiana Bradley <tatianabradley@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2022-24769 references github.com/moby/moby, which may be a Go module.
Description:
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during
execve(2)
. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility likecapsh(1)
to drop inheritable capabilities prior to the primary process starting.Links:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: