Docker re-fixes a critical authorization bypass vulnerability
- by nlqip
“An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly,” Docker said in the advisory.
The AuthZ plugin would have otherwise denied the request if the body had been forwarded to it, the company added.
Low exploitability
The vulnerability was initially fixed in a January 2019 rollout, Docker Engine v18.09.1. However, subsequent rollouts including Docker Engine v19.03 and newer versions did not include the fix, leading to regression.
Source link
lol
“An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly,” Docker said in the advisory. The AuthZ plugin would have otherwise denied the request if the body had been…
Recent Posts
- Exploit code released for critical Ivanti RCE flaw, patch now
- Amazon CEO: New Return-To-Office Policy Will ‘Require Some Adjustments’
- Microsoft rolls out Office LTSC 2024 for Windows and Mac
- New Microsoft Copilot Update Wave Focuses On Page, App Integration, Agents
- Here’s How Four MSPs Are Helping Clients Navigate AI