GHSA-99pg-grm5-qq3v

Source

https://github.com/advisories/GHSA-99pg-grm5-qq3v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-99pg-grm5-qq3v/GHSA-99pg-grm5-qq3v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-99pg-grm5-qq3v

Aliases

Related

CGA-f849-gq83-8362

Published

2024-06-10T18:38:49Z

Modified

2024-07-15T22:00:20.127809Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Docker CLI leaks private registry credentials to registry-1.docker.io

Details

Impact

A bug was found in the Docker CLI where running docker login my-private-registry.example.com with a misconfigured configuration file (typically ~/.docker/config.json) listing a credsStore or credHelpers that could not be executed would result in any provided credentials being sent to registry-1.docker.io rather than the intended private registry.

Patches

This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible.

Workarounds

Ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH.

For more information

If you have any questions or comments about this advisory:

Open an issue
Email us at security@docker.com if you think you’ve found a security bug

References

Affected packages

Go / github.com/docker/cli

Package

Name: github.com/docker/cli; View open source insights on deps.dev
Purl: pkg:golang/github.com/docker/cli

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.10.9