GHSA-99pg-grm5-qq3v

Suggest an improvement
Source
https://github.com/advisories/GHSA-99pg-grm5-qq3v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-99pg-grm5-qq3v/GHSA-99pg-grm5-qq3v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-99pg-grm5-qq3v
Aliases
Related
Published
2024-06-10T18:38:49Z
Modified
2024-07-15T22:00:20.127809Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Docker CLI leaks private registry credentials to registry-1.docker.io
Details

Impact

A bug was found in the Docker CLI where running docker login my-private-registry.example.com with a misconfigured configuration file (typically ~/.docker/config.json) listing a credsStore or credHelpers that could not be executed would result in any provided credentials being sent to registry-1.docker.io rather than the intended private registry.

Patches

This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible.

Workarounds

Ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH.

For more information

If you have any questions or comments about this advisory:

  • Open an issue
  • Email us at security@docker.com if you think you’ve found a security bug
Database specific
{
    "nvd_published_at": "2021-10-04T20:15:00Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-522"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-10T18:38:49Z"
}
References

Affected packages

Go / github.com/docker/cli

Package

Name
github.com/docker/cli
View open source insights on deps.dev
Purl
pkg:golang/github.com/docker/cli

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.10.9