apk package
chainguard/dockerd-service
pkg:apk/chainguard/dockerd-service
Vulnerabilities (39)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-24786 | Hig | 7.5 | < 25.0.4-r1 | 25.0.4-r1 | Mar 5, 2024 | The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. | |
| CVE-2024-24557 | — | < 0 | 0 | Feb 1, 2024 | Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause | ||
| CVE-2024-23653 | — | < 25.0.2-r0 | 25.0.2-r0 | Jan 31, 2024 | BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use th | ||
| CVE-2024-23652 | — | < 25.0.2-r0 | 25.0.2-r0 | Jan 31, 2024 | BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file o | ||
| CVE-2024-23651 | — | < 25.0.2-r0 | 25.0.2-r0 | Jan 31, 2024 | BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host syste | ||
| CVE-2024-23650 | — | < 25.0.2-r0 | 25.0.2-r0 | Jan 31, 2024 | BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a | ||
| CVE-2024-21626 | — | < 25.0.2-r0 | 25.0.2-r0 | Jan 31, 2024 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h | ||
| CVE-2022-24769 | — | < 0 | 0 | Mar 24, 2022 | Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atyp | ||
| CVE-2021-41089 | — | < 28.0.2-r0 | 28.0.2-r0 | Oct 4, 2021 | Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the h | ||
| CVE-2021-41091 | — | < 0 | 0 | Oct 4, 2021 | Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivilege | ||
| CVE-2020-27534 | — | < 0 | 0 | Dec 30, 2020 | util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call. | ||
| CVE-2014-9356 | — | < 0 | 0 | Dec 2, 2019 | Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile. | ||
| CVE-2019-13509 | — | < 0 | 0 | Jul 18, 2019 | In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non | ||
| CVE-2015-3627 | — | < 0 | 0 | May 18, 2015 | Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image. | ||
| CVE-2014-9358 | — | < 0 | 0 | Dec 16, 2014 | Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications." | ||
| CVE-2014-9357 | — | < 0 | 0 | Dec 16, 2014 | Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction. | ||
| CVE-2014-6407 | — | < 0 | 0 | Dec 12, 2014 | Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation. | ||
| CVE-2014-5277 | — | < 0 | 0 | Nov 17, 2014 | Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and | ||
| CVE-2014-3499 | — | < 0 | 0 | Jul 11, 2014 | Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors. |
- affected < 25.0.4-r1fixed 25.0.4-r1
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
- CVE-2024-24557Feb 1, 2024affected < 0fixed 0
Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause
- CVE-2024-23653Jan 31, 2024affected < 25.0.2-r0fixed 25.0.2-r0
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use th
- CVE-2024-23652Jan 31, 2024affected < 25.0.2-r0fixed 25.0.2-r0
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file o
- CVE-2024-23651Jan 31, 2024affected < 25.0.2-r0fixed 25.0.2-r0
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host syste
- CVE-2024-23650Jan 31, 2024affected < 25.0.2-r0fixed 25.0.2-r0
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a
- CVE-2024-21626Jan 31, 2024affected < 25.0.2-r0fixed 25.0.2-r0
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h
- CVE-2022-24769Mar 24, 2022affected < 0fixed 0
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atyp
- CVE-2021-41089Oct 4, 2021affected < 28.0.2-r0fixed 28.0.2-r0
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the h
- CVE-2021-41091Oct 4, 2021affected < 0fixed 0
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivilege
- CVE-2020-27534Dec 30, 2020affected < 0fixed 0
util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.
- CVE-2014-9356Dec 2, 2019affected < 0fixed 0
Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.
- CVE-2019-13509Jul 18, 2019affected < 0fixed 0
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non
- CVE-2015-3627May 18, 2015affected < 0fixed 0
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.
- CVE-2014-9358Dec 16, 2014affected < 0fixed 0
Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications."
- CVE-2014-9357Dec 16, 2014affected < 0fixed 0
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
- CVE-2014-6407Dec 12, 2014affected < 0fixed 0
Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.
- CVE-2014-5277Nov 17, 2014affected < 0fixed 0
Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and
- CVE-2014-3499Jul 11, 2014affected < 0fixed 0
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.
Page 2 of 2