Vulnerability Report: GO-2024-2659
- CVE-2024-29018, GHSA-mq39-4gv4-mvpx
- Affects: github.com/docker/docker
- Published: Mar 22, 2024
- Modified: May 20, 2024
dockerd forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics, networks marked as 'internal' can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.
For detailed information about this vulnerability, visit https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx.
Affected Modules
-
PathGo Versions
-
from v25.0.0+incompatible before v25.0.5+incompatible, from v26.0.0-rc1+incompatible before v26.0.0-rc3+incompatible
Aliases
References
- https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx
- https://github.com/moby/moby/pull/46609
- https://vuln.go.dev/ID/GO-2024-2659.json
Credits
- @robmry, @akerouanton, @neersighted, @gabriellavengeo
Feedback
See anything missing or incorrect?
Suggest an edit to this report.