logo

Database

Supply Chain Attack - Docker

Description

Docker dependencies are not pinned to an exact digest, making the Docker build unable the verify the integrity of the image and allowing a malicious actor to override the used components with malicious components without leaving a trace.

Impact

Override dependencies or component with malicious content.

Recommendation

Use mechanisms such as git-commits, or artifacts and hashes to verify the data integrity.

Threat

Anonymous attacker from Internet with write access to the provider releases.

Expected Remediation Time

⏱️ 15 minutes.

Requirements

266 - Disable insecure functionalities

Fixes

Docker-composeDocker

Score

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

Attack vector

N

Attack complexity

H

Attack requirements

N

Privileges required

N

User interaction

P

Confidentiality (VC)

N

Integrity (VI)

L

Availability (VA)

N

Confidentiality (SC)

N

Integrity (SI)

N

Availability (SA)

N

Threat 4.0

Exploit maturity

U

Vector string

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U