Docker re-fixes a critical authorization bypass vulnerability
- by nlqip
“An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly,” Docker said in the advisory.
The AuthZ plugin would have otherwise denied the request if the body had been forwarded to it, the company added.
Low exploitability
The vulnerability was initially fixed in a January 2019 rollout, Docker Engine v18.09.1. However, subsequent rollouts including Docker Engine v19.03 and newer versions did not include the fix, leading to regression.
Source link
lol
“An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly,” Docker said in the advisory. The AuthZ plugin would have otherwise denied the request if the body had been…
Recent Posts
- Discord rolls out end-to-end encryption for audio, video calls
- Europol takes down “Ghost” encrypted messaging platform used for crime
- Phison President Promises AI Training, Tuning With A $50K Workstation
- Canary Trap’s Bi-Weekly Cyber Roundup – Canary Trap
- Cisco CX Leader Denzil Samuels Leaves For Solution Provider Behemoth NTT Data