2024-07-23
In 2018-19, a security vulnerability pertaining to Docker Engine Authorization Plugins was fixed in Docker EE v19.03.0 and backported to Docker EE v18.09.1. The patches were upstreamed to the open-source Moby project’s 18.09 release branch, but the patches were not applied to the Moby development branch. Consequently, Moby v19.03.0 and newer regressed – they are all vulnerable. However, Mirantis Container Runtime never regressed: the patches were carried forward into MCR v20.10 and v23.0.
No versions of MCR (Mirantis Container Runtime) are vulnerable to CVE-2024-41110. Security scanners may incorrectly report MCR binaries as vulnerable as they may be unable to distinguish MCR binaries which contain the fix from binaries built from open-source Moby sources which are missing the patches.
CVE-2024-41110, GHSA-v23v-6jw2-98fq
10.0 (Critical) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- 2019-01-19: Docker v18.09.1 is released with the vulnerability fixed.
- 2019-07-22: Docker v19.03.0 is released. The fix is not present in the open-source Moby release.
- 2024-04-26: Mirantis discovers that there are more differences between the MCR v23.0 and Moby v23.0 sources than expected. The missing fixes in Moby v23.0 are brought to the attention of the other Moby project maintainers.