SB2025050132 - Ubuntu update for docker.io

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025050132

SB2025050132 - Ubuntu update for docker.io

Published: May 1, 2025

Security Bulletin ID SB2025050132
Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact

Breakdown by Severity

Medium 71% Low 29%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Unprotected Alternate Channel (CVE-ID: CVE-2023-28840)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to unprotected alternate channel within encrypted overlay networks. A remote attacker can inject arbitrary Ethernet frames into the encrypted overlay network and perform a denial of service (DoS) attack.


2) Missing Encryption of Sensitive Data (CVE-ID: CVE-2023-28841)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to missing encryption of sensitive data within the overlay network driver. A remote attacker can gain unauthorized access to sensitive information on the system.


3) Unprotected Alternate Channel (CVE-ID: CVE-2023-28842)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to unprotected alternate channel within encrypted overlay networks. A remote attacker can inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams.


4) Race condition (CVE-ID: CVE-2024-23651)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a race condition. A remote attacker can exploit the race and cause the files from the host system being accessible to the build container.


5) Race condition (CVE-ID: CVE-2024-36621)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition within builder/builder-next/adapters/snapshot/layer.go. A local user can exploit the race and perform a denial of service (DoS) attack.


6) Race condition (CVE-ID: CVE-2024-36623)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition in the streamformatter package. A local user can exploit the race and crash the application.


7) Path traversal (CVE-ID: CVE-2024-23652)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within BuildKit frontend or Dockerfile using RUN --mount. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.


Remediation

Install update from vendor's website.

References