CVE-2024-41110
CVE-2024-41110 is a critical-severity vulnerability with a CVSS 3.x base score of 9.9. Its EPSS exploit-prediction score of 16% places it in the 97th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-187.
Key facts
- Severity: Critical (CVSS 3.x base score 9.9)
- EPSS exploit prediction: 16% (97th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-2415
- Weakness: CWE-187
- Published:
- Last modified:
Description
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.
Frequently asked questions
- What is CVE-2024-41110?
- Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.
- How severe is CVE-2024-41110?
- CVE-2024-41110 has a CVSS 3.x base score of 9.9, rated critical severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-41110 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 16% (97th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2024-41110?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2024-41110 have an EU (EUVD) identifier?
- Yes. CVE-2024-41110 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-2415.
- When was CVE-2024-41110 published?
- CVE-2024-41110 was published on 2024-07-24 and last updated on 2026-06-17.
References
- https://github.com/moby/moby/commit/411e817ddf710ff8e08fa193da80cb78af708191
- https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
- https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
- https://github.com/moby/moby/commit/852759a7df454cbf88db4e954c919becd48faa9b
- https://github.com/moby/moby/commit/a31260625655cff9ae226b51757915e275e304b0
- https://github.com/moby/moby/commit/a79fabbfe84117696a19671f4aa88b82d0f64fc1
- https://github.com/moby/moby/commit/ae160b4edddb72ef4bd71f66b975a1a1cc434f00
- https://github.com/moby/moby/commit/ae2b3666c517c96cbc2adf1af5591a6b00d4ec0f
- https://github.com/moby/moby/commit/cc13f952511154a2866bddbb7dddebfe9e83b801
- https://github.com/moby/moby/commit/fc274cd2ff4cf3b48c91697fb327dd1fb95588fb
- https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
- https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin
- https://lists.debian.org/debian-lts-announce/2024/10/msg00009.html
- https://security.netapp.com/advisory/ntap-20240802-0001/
Other CWE-187 vulnerabilities
- CVE-2022-31802 — Critical (CVSS 9.8): In CODESYS Gateway Server V2 for versions prior to V2.3.9.38 only a part of the the specified password is been compared…
- CVE-2026-34785 — High (CVSS 7.5): Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines…
- CVE-2026-44837 — Medium (CVSS 5.9): view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From…
- CVE-2026-45692 — Medium (CVSS 5.4): Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and…
- CVE-2026-14687 — Medium (CVSS 5.3): A vulnerability was determined in 666ghj BettaFish up to 1.2.1. Impacted is the function _deduplicate_results of the…
- CVE-2025-23384 — Low (CVSS 3.7): A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2.1),…