data/reports: add GO-2024-2659.yaml
Aliases: CVE-2024-29018, GHSA-mq39-4gv4-mvpx
Fixes golang/vulndb#2659
Change-Id: I4487ea55ed9b021f41ed4294ce42780a850301c7
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/573835
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Run-TryBot: Tim King <taking@google.com>
diff --git a/data/osv/GO-2024-2659.json b/data/osv/GO-2024-2659.json
new file mode 100644
index 0000000..9a77f4b
--- /dev/null
+++ b/data/osv/GO-2024-2659.json
@@ -0,0 +1,67 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2659",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-29018",
+ "GHSA-mq39-4gv4-mvpx"
+ ],
+ "summary": "Data exfiltration from internal networks in github.com/docker/docker",
+ "details": "dockerd forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics, networks marked as 'internal' can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/docker/docker",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "25.0.0+incompatible"
+ },
+ {
+ "fixed": "25.0.5+incompatible"
+ },
+ {
+ "introduced": "26.0.0-rc1+incompatible"
+ },
+ {
+ "fixed": "26.0.0-rc3+incompatible"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {}
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/moby/moby/pull/46609"
+ }
+ ],
+ "credits": [
+ {
+ "name": "@robmry"
+ },
+ {
+ "name": "@akerouanton"
+ },
+ {
+ "name": "@neersighted"
+ },
+ {
+ "name": "@gabriellavengeo"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2659"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2659.yaml b/data/reports/GO-2024-2659.yaml
new file mode 100644
index 0000000..f817d66
--- /dev/null
+++ b/data/reports/GO-2024-2659.yaml
@@ -0,0 +1,32 @@
+id: GO-2024-2659
+modules:
+ - module: github.com/docker/docker
+ versions:
+ - introduced: 25.0.0+incompatible
+ fixed: 25.0.5+incompatible
+ - introduced: 26.0.0-rc1+incompatible
+ fixed: 26.0.0-rc3+incompatible
+ vulnerable_at: 26.0.0-rc1+incompatible
+summary: Data exfiltration from internal networks in github.com/docker/docker
+description: |-
+ dockerd forwards DNS requests to the host loopback device, bypassing the
+ container network namespace's normal routing semantics, networks marked as
+ 'internal' can unexpectedly forward DNS requests to an external nameserver. By
+ registering a domain for which they control the authoritative nameservers, an
+ attacker could arrange for a compromised container to exfiltrate data by
+ encoding it in DNS queries that will eventually be answered by their
+ nameservers.
+cves:
+ - CVE-2024-29018
+ghsas:
+ - GHSA-mq39-4gv4-mvpx
+credits:
+ - '@robmry'
+ - '@akerouanton'
+ - '@neersighted'
+ - '@gabriellavengeo'
+references:
+ - advisory: https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx
+ - web: https://github.com/moby/moby/pull/46609
+notes:
+ - 23.0.11 is not yet released. It can be added as a fix once it is.
