critical
10
CWE
187 444 863
Advisory Published
Advisory Published
Updated

CVE-2024-41110: Moby authz zero length regression

First published: Wed Jul 24 2024(Updated: )

A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass [authorization plugins (AuthZ)](https://docs.docker.com/engine/extend/plugins_authorization/) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users. ### Impact Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an [authorization plugin](https://docs.docker.com/engine/extend/plugins_authorization/) without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine [v18.09.1](https://docs.docker.com/engine/release-notes/18.09/#security-fixes-1) in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime **are not vulnerable.** ### Vulnerability details - **AuthZ bypass and privilege escalation:** An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly. - **Initial fix:** The issue was fixed in Docker Engine [v18.09.1](https://docs.docker.com/engine/release-notes/18.09/#security-fixes-1) January 2019.. - **Regression:** The fix was not included in Docker Engine v19.03 or newer versions. This was identified in April 2024 and patches were released for the affected versions on July 23, 2024. The issue was assigned [CVE-2024-41110](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41110). ### Patches - docker-ce v27.1.1 containes patches to fix the vulnerability. - Patches have also been merged into the master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. ### Remediation steps - If you are running an affected version, update to the most recent patched version. - Mitigation if unable to update immediately: - Avoid using AuthZ plugins. - Restrict access to the Docker API to trusted parties, following the principle of least privilege. ### References - https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb - https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1 - https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
go/github.com/docker/docker>=27.0.0<27.1.1
27.1.1
go/github.com/docker/docker>=26.0.0<26.1.5
26.1.5
go/github.com/docker/docker>=19.03.0<23.0.15
23.0.15
go/github.com/docker/docker>=24.0.0<25.0.6
25.0.6
debian/docker.io<=20.10.5+dfsg1-1+deb11u2
20.10.5+dfsg1-1+deb11u3
20.10.24+dfsg1-1+deb12u1
26.1.5+dfsg1-4
IBM Cognos Dashboards<=5.0.0
IBM Cognos Dashboards<=4.8.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2024-41110?

    CVE-2024-41110 is classified as a critical vulnerability due to its potential to bypass authorization mechanisms in Docker Engine.

  • Which versions are affected by CVE-2024-41110?

    CVE-2024-41110 affects various versions of Docker Engine, specifically those prior to 27.1.1, 26.1.5, and 23.0.15.

  • How do I fix CVE-2024-41110?

    To mitigate CVE-2024-41110, upgrade Docker Engine to version 27.1.1, 26.1.5, or 23.0.15 or later.

  • What impact does CVE-2024-41110 have on Docker security?

    CVE-2024-41110 can allow unauthorized access, potentially compromising sensitive data and service integrity.

  • Are there specific products impacted by CVE-2024-41110?

    Yes, products like IBM Cognos Dashboards on Cloud Pak for Data prior to 5.0.0 are affected by CVE-2024-41110.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203