Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for docker.io. CVE-2022-36109[0]: | Moby is an open-source project created by Docker to enable software | containerization. A bug was found in Moby (Docker Engine) where | supplementary groups are not set up properly. If an attacker has | direct access to a container and manipulates their supplementary group | access, they may be able to use supplementary group access to bypass | primary group restrictions in some cases, potentially gaining access | to sensitive information or gaining the ability to execute code in | that container. This bug is fixed in Moby (Docker Engine) 20.10.18. | Running containers should be stopped and restarted for the permissions | to be fixed. For users unable to upgrade, this problem can be worked | around by not using the `"USER $USERNAME"` Dockerfile instruction. | Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary | groups will be set up properly. https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4 https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-36109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36109 Please adjust the affected versions in the BTS as needed.
