Moby Authorization Bypass Vulnerability in AuthZ Plugins

An authorization bypass vulnerability has been identified in Moby, an open-source container framework, affecting versions prior to 29.3.1. This vulnerability allows attackers to bypass authorization plugins under certain conditions. The issue arises when a specially-crafted API request is sent to the Docker daemon, which then forwards the request to an authorization plugin without including the request body. This omission can lead to unauthorized access, as some plugins may allow requests that they would normally deny if the body had been included.

Impact

Exploitation of this vulnerability could allow an attacker to bypass authorization controls, potentially leading to unauthorized actions or access within the Docker environment, especially for users relying on authorization plugins that inspect request bodies for access control decisions.

Remediation

Users can update to Docker version 29.3.1 or later to address this vulnerability. If an immediate update is not possible, it is recommended to avoid using AuthZ plugins that depend on request body inspection for security decisions and to restrict access to the Docker API to trusted parties, following the principle of least privilege.