GO-2024-2659

Source
https://pkg.go.dev/vuln/GO-2024-2659
Import Source
https://vuln.go.dev/ID/GO-2024-2659.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2024-2659
Aliases
Published
2024-03-22T18:49:03Z
Modified
2024-05-20T16:03:47Z
Summary
Data exfiltration from internal networks in github.com/docker/docker
Details

dockerd forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics, networks marked as 'internal' can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-2659"
}
References
Credits
    • @robmry
    • @akerouanton
    • @neersighted
    • @gabriellavengeo

Affected packages

Go / github.com/docker/docker

Package

Name
github.com/docker/docker
View open source insights on deps.dev
Purl
pkg:golang/github.com/docker/docker

Affected ranges

Type
SEMVER
Events
Introduced
25.0.0+incompatible
Fixed
25.0.5+incompatible
Introduced
26.0.0-rc1+incompatible
Fixed
26.0.0-rc3+incompatible