GO-2024-2659

Source
https://pkg.go.dev/vuln/GO-2024-2659
Import Source
https://vuln.go.dev/ID/GO-2024-2659.json
Aliases
Published
2024-03-22T18:49:03Z
Modified
2024-03-22T21:56:37.371013Z
Details

dockerd forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics, networks marked as 'internal' can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.

References

Affected packages

Go / github.com/docker/docker

Affected ranges

Type
SEMVER
Events
Introduced
25.0.0+incompatible
Fixed
25.0.5+incompatible
Introduced
26.0.0-rc1+incompatible
Fixed
26.0.0-rc3+incompatible