#VU87658 Incorrect Resource Transfer Between Spheres in moby - CVE-2024-29018

Cybersecurity Help s.r.o.

Published: 2024-03-20 | Updated: 2024-03-21

Vulnerability identifier: #VU87658

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-29018

CWE-ID: CWE-669

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
moby
Server applications / Virtualization software

Vendor: Moby project

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application within external DNS requests from "internal" networks. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

moby: 23.0.0 - 23.0.10, 25.0.0 - 25.0.3, 26.0.0 rc1 - 26.0.0 rc2

External links
https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx
https://github.com/moby/moby/releases/tag/v25.0.5

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for docker

Ubuntu update for docker.io

SUSE update for docker-stable

Ubuntu update for docker.io

Multiple vulnerabilities in IBM Cloud Pak System

Multiple vulnerabilities in Migration Toolkit for Containers 1.8

Multiple vulnerabilities in IBM Concert

Multiple vulnerabilities in IBM Edge Application Manager

openEuler 22.03 LTS SP3 update for docker