Strix
26.1K

CVE-2022-36109

MEDIUMCVSS 6.3/10EPSS 0.81%

Last modified

CVE-2022-36109 is a medium-severity vulnerability rated 6.3/10 on the CVSS scale. Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. EPSS estimates a 0.81% chance of exploitation in the next 30 days.

Description

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.

Metrics

CVSS 3.1
6.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Probability
0.81%

52.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
MobyprojectMoby< 20.10.18
FedoraprojectFedora36
FedoraprojectFedora37

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-36109?
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
How severe is CVE-2022-36109?
CVE-2022-36109 has a CVSS score of 6.3/10 (MEDIUM severity). The EPSS model estimates a 0.81% probability of exploitation in the next 30 days.
How do I fix CVE-2022-36109?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-36109?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST