Headline
GHSA-qrqr-3x5j-2xw9: Docker Moby Authentication Bypass
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2018-12608
Docker Moby Authentication Bypass
High severity GitHub Reviewed Published Jan 31, 2024 to the GitHub Advisory Database • Updated Jan 31, 2024
Package
gomod github.com/moby/moby (Go)
Affected versions
< 17.06.0-ce
Patched versions
17.06.0-ce
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.
References
- https://nvd.nist.gov/vuln/detail/CVE-2018-12608
- moby/moby#33173
- moby/moby#33182
- moby/moby@190c6e8
Published to the GitHub Advisory Database
Jan 31, 2024
Last updated
Jan 31, 2024