data/reports/GO-2024-2521.yaml - vulndb - Git at Google

 id: GO-2024-2521
 modules:
     - module: github.com/docker/docker
       versions:
         - fixed: 20.10.0-beta1+incompatible
       non_go_versions:
         - introduced: 19.03.0
         - fixed: 19.03.1
       packages:
         - package: github.com/docker/docker/pkg/chrootarchive
           skip_fix: fix does not work with incompatible versions
     - module: github.com/moby/moby
       versions:
         - fixed: 20.10.0-beta1+incompatible
       non_go_versions:
         - introduced: 19.03.0
         - fixed: 19.03.1
       packages:
         - package: github.com/moby/moby/pkg/chrootarchive
           skip_fix: fix does not work with incompatible versions
 summary: Moby Docker cp broken with debian containers in github.com/docker/docker
 description: |-
     In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc),
     code injection can occur when the nsswitch facility dynamically loads a library
     inside a chroot that contains the contents of the container.
 cves:
     - CVE-2019-14271
 ghsas:
     - GHSA-v2cv-wwxq-qq97
 references:
     - advisory: https://github.com/advisories/GHSA-v2cv-wwxq-qq97
     - fix: https://github.com/moby/moby/commit/11e48badcb67554b3d795241855028f28d244545
     - fix: https://github.com/moby/moby/commit/fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
     - fix: https://github.com/moby/moby/pull/39612
     - report: https://github.com/moby/moby/issues/39449
 source:
     id: GHSA-v2cv-wwxq-qq97
     created: 2024-07-15T12:29:37.368794-04:00
 review_status: REVIEWED
 unexcluded: EFFECTIVELY_PRIVATE
	id: GO-2024-2521
	modules:
	- module: github.com/docker/docker
	versions:
	- fixed: 20.10.0-beta1+incompatible
	non_go_versions:
	- introduced: 19.03.0
	- fixed: 19.03.1
	packages:
	- package: github.com/docker/docker/pkg/chrootarchive
	skip_fix: fix does not work with incompatible versions
	- module: github.com/moby/moby
	versions:
	- fixed: 20.10.0-beta1+incompatible
	non_go_versions:
	- introduced: 19.03.0
	- fixed: 19.03.1
	packages:
	- package: github.com/moby/moby/pkg/chrootarchive
	skip_fix: fix does not work with incompatible versions
	summary: Moby Docker cp broken with debian containers in github.com/docker/docker
	description: \|-
	In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc),
	code injection can occur when the nsswitch facility dynamically loads a library
	inside a chroot that contains the contents of the container.
	cves:
	- CVE-2019-14271
	ghsas:
	- GHSA-v2cv-wwxq-qq97
	references:
	- advisory: https://github.com/advisories/GHSA-v2cv-wwxq-qq97
	- fix: https://github.com/moby/moby/commit/11e48badcb67554b3d795241855028f28d244545
	- fix: https://github.com/moby/moby/commit/fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
	- fix: https://github.com/moby/moby/pull/39612
	- report: https://github.com/moby/moby/issues/39449
	source:
	id: GHSA-v2cv-wwxq-qq97
	created: 2024-07-15T12:29:37.368794-04:00
	review_status: REVIEWED
	unexcluded: EFFECTIVELY_PRIVATE