Fluid Attacks Database

Description

Docker Authentication Bypass An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	docker.io	>=0 <18.03.1+dfsg1-2	18.03.1+dfsg1-2
go	github.com/moby/moby	>=0 <17.06.0-ce	17.06.0-ce
go	github.com/docker/docker	>=0 <17.06.0-ce	17.06.0-ce
debian 12	docker.io	>=0 <18.03.1+dfsg1-2	18.03.1+dfsg1-2
debian 13	docker.io	>=0 <18.03.1+dfsg1-2	18.03.1+dfsg1-2
debian 11	docker.io	>=0 <18.03.1+dfsg1-2	18.03.1+dfsg1-2

Aliases

1. CVE-2018-126082. NVD-2018-126083. OSV-DEBIAN-2018-126084. OSV-2018-126085. GHSA-qrqr-3x5j-2xw96. GCVE-2018-126087. SECURITY-TRACKER-CVE-2018-12608

References

1. https://github.com/moby/moby/issues/331732. https://github.com/moby/moby/pull/331823. https://github.com/moby/moby/commit/190c6e8cf8b893874a33d83f78307f1bed0bfbcd