Vulnerability-Lookup

CVE-2024-36620 (GCVE-0-2024-36620)

Vulnerability from cvelistv5 – Published: 2024-11-29 00:00 – Updated: 2024-12-04 17:14

Summary

moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

Assigner

mitre

References

URL

GHSA-Q59J-VV4J-V33C

Vulnerability from github – Published: 2024-11-29 18:34 – Updated: 2024-12-09 21:53

Summary

NULL Pointer Dereference on moby image history

Details

moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

5.7 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/moby/moby"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "26.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-04T22:44:38Z",
    "nvd_published_at": "2024-11-29T18:15:07Z",
    "severity": "MODERATE"
  },
  "details": "moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.",
  "id": "GHSA-q59j-vv4j-v33c",
  "modified": "2024-12-09T21:53:38Z",
  "published": "2024-11-29T18:34:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36620"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moby/moby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3311"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NULL Pointer Dereference on moby image history"
}

CVE-2024-36620

Vulnerability from fstec - Published: 29.11.2024

Title

Уязвимость программного средства для создания систем контейнерной изоляции Moby, связанная с разыменованием нулевого указателя, позволяющая нарушителю вызвать отказ в обслуживании

Description

Уязвимость программного средства для создания систем контейнерной изоляции Moby связана с разыменованием нулевого указателя. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании

Severity ?


                    
                      AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Vendor

Сообщество свободного программного обеспечения, ООО «Ред Софт», ООО «РусБИТех-Астра», Red Hat Inc., Moby Project

Software Name

Debian GNU/Linux, РЕД ОС (запись в едином реестре российских программ №3751), Astra Linux Special Edition (запись в едином реестре российских программ №369), Red Hat OpenShift Container Platform, multicluster engine for Kubernetes, Moby

Software Version

11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (РЕД ОС), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), 4 (Red Hat OpenShift Container Platform), - (multicluster engine for Kubernetes), от 25.0.0 до 26.0.2 включительно (Moby)

Possible Mitigations

В условиях отсутствия обновлений безопасности от производителя рекомендуется придерживаться "Рекомендаций по безопасной настройке операционных систем LINUX", изложенных в методическом документе ФСТЭК России, утверждённом 25 декабря 2022 года. Использование рекомендаций: Для Moby: https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2 Для РЭД ОС: https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-docker-ce-cve-2024-36620/ Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/cve-2024-36620 Для Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2024-36620 Для ОС Astra Linux: обновить пакет docker.io-app до 28.3.3.astra1+ci17 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-1202SE17 Для ОС Astra Linux: обновить пакет docker.io-app до 28.3.3.astra1+ci17 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2025-1216SE47

Reference

https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-docker-ce-cve-2024-36620/ https://access.redhat.com/security/cve/cve-2024-36620 https://security-tracker.debian.org/tracker/CVE-2024-36620 https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2 https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48 https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 https://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-1202SE17 https://wiki.astralinux.ru/astra-linux-se47-bulletin-2025-1216SE75

CWE

CWE-476

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, Red Hat Inc., Moby Project",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), 4 (Red Hat OpenShift Container Platform), - (multicluster engine for Kubernetes), \u043e\u0442 25.0.0 \u0434\u043e 26.0.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Moby)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0412 \u0443\u0441\u043b\u043e\u0432\u0438\u044f\u0445 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u044f \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u043e\u0442 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u0438\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0442\u044c\u0441\u044f \"\u0420\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u043e \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0439 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c LINUX\", \u0438\u0437\u043b\u043e\u0436\u0435\u043d\u043d\u044b\u0445 \u0432 \u043c\u0435\u0442\u043e\u0434\u0438\u0447\u0435\u0441\u043a\u043e\u043c \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0435 \u0424\u0421\u0422\u042d\u041a \u0420\u043e\u0441\u0441\u0438\u0438, \u0443\u0442\u0432\u0435\u0440\u0436\u0434\u0451\u043d\u043d\u043e\u043c 25 \u0434\u0435\u043a\u0430\u0431\u0440\u044f 2022 \u0433\u043e\u0434\u0430.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Moby:\nhttps://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2\n\n\u0414\u043b\u044f \u0420\u042d\u0414 \u041e\u0421:\nhttps://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-docker-ce-cve-2024-36620/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2024-36620\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2024-36620\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 docker.io-app \u0434\u043e 28.3.3.astra1+ci17 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-1202SE17\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 docker.io-app \u0434\u043e 28.3.3.astra1+ci17 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2025-1216SE47",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "29.11.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "26.12.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "19.12.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-11295",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-36620",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Red Hat OpenShift Container Platform, multicluster engine for Kubernetes, Moby",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0434\u043b\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0441\u0438\u0441\u0442\u0435\u043c \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043d\u043e\u0439 \u0438\u0437\u043e\u043b\u044f\u0446\u0438\u0438 Moby, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0440\u0430\u0437\u044b\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043d\u0443\u043b\u0435\u0432\u043e\u0433\u043e \u0443\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044f, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0420\u0430\u0437\u044b\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044f NULL (CWE-476)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0434\u043b\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0441\u0438\u0441\u0442\u0435\u043c \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u043d\u043e\u0439 \u0438\u0437\u043e\u043b\u044f\u0446\u0438\u0438 Moby \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0440\u0430\u0437\u044b\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043d\u0443\u043b\u0435\u0432\u043e\u0433\u043e \u0443\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044f. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-docker-ce-cve-2024-36620/\nhttps://access.redhat.com/security/cve/cve-2024-36620\nhttps://security-tracker.debian.org/tracker/CVE-2024-36620\nhttps://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2\t\nhttps://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48\t\nhttps://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2025-1202SE17\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2025-1216SE75",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-476",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,5)"
}

FKIE_CVE-2024-36620

Vulnerability from fkie_nvd - Published: 2024-11-29 18:15 - Updated: 2025-09-05 13:58

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.

References

URL	Tags
cve@mitre.org	https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2	Third Party Advisory
cve@mitre.org	https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48	Product
cve@mitre.org	https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4	Patch

Impacted products

	Vendor	Product	Version
	mobyproject	moby	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A984EDF-4820-4533-9A3C-18012D41AA41",
              "versionEndIncluding": "26.0.2",
              "versionStartIncluding": "25.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go."
    },
    {
      "lang": "es",
      "value": "moby v25.0.0 - v26.0.2 es vulnerable a la desreferencia de puntero NULL a trav\u00e9s de daemon/images/image_history.go."
    }
  ],
  "id": "CVE-2024-36620",
  "lastModified": "2025-09-05T13:58:04.270",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-29T18:15:07.787",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

CERTFR-2025-AVI-0279

Vulnerability from certfr_avis - Published: 2025-04-04 - Updated: 2025-04-04

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Db2	Db2 versions antérieures à 5.1.2 pour Cloud Pak for Data
IBM	WebSphere	WebSphere Application Server Liberty sans le correctif APAR PH65394
IBM	Db2 Warehouse	Db2 Warehouse versions antérieures à 5.1.2 pour Cloud Pak for Data
IBM	WebSphere	WebSphere Hybrid Edition sans le dernier correctif de sécurité
IBM	QRadar Analyst Workflow	QRadar Analyst Workflow versions antérieures à 3.0.0

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7230024	2025-04-03	vendor-advisory
Bulletin de sécurité IBM 7229770	2025-04-01	vendor-advisory
Bulletin de sécurité IBM 7229443	2025-03-28	vendor-advisory
Bulletin de sécurité IBM 7229768	2025-04-01	vendor-advisory
Bulletin de sécurité IBM 7229772	2025-04-01	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Db2 versions ant\u00e9rieures \u00e0 5.1.2 pour Cloud Pak for Data",
      "product": {
        "name": "Db2",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere Application Server Liberty sans le correctif APAR PH65394",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Db2 Warehouse versions ant\u00e9rieures \u00e0 5.1.2 pour Cloud Pak for Data",
      "product": {
        "name": "Db2 Warehouse",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere Hybrid Edition sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Analyst Workflow versions ant\u00e9rieures \u00e0 3.0.0",
      "product": {
        "name": "QRadar Analyst Workflow",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2021-44906",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
    },
    {
      "name": "CVE-2023-45857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
    },
    {
      "name": "CVE-2023-45142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45142"
    },
    {
      "name": "CVE-2022-48890",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-48890"
    },
    {
      "name": "CVE-2024-35176",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35176"
    },
    {
      "name": "CVE-2024-37071",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-37071"
    },
    {
      "name": "CVE-2025-25285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25285"
    },
    {
      "name": "CVE-2024-6232",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6232"
    },
    {
      "name": "CVE-2024-34997",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-34997"
    },
    {
      "name": "CVE-2024-51479",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-51479"
    },
    {
      "name": "CVE-2024-43398",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43398"
    },
    {
      "name": "CVE-2024-35946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35946"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2024-41761",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41761"
    },
    {
      "name": "CVE-2022-29153",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-29153"
    },
    {
      "name": "CVE-2023-52605",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52605"
    },
    {
      "name": "CVE-2021-23337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
    },
    {
      "name": "CVE-2018-6341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-6341"
    },
    {
      "name": "CVE-2023-52455",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52455"
    },
    {
      "name": "CVE-2024-45338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45338"
    },
    {
      "name": "CVE-2025-27152",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27152"
    },
    {
      "name": "CVE-2024-26740",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26740"
    },
    {
      "name": "CVE-2024-47764",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47764"
    },
    {
      "name": "CVE-2025-25288",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25288"
    },
    {
      "name": "CVE-2024-35790",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-35790"
    },
    {
      "name": "CVE-2022-48921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-48921"
    },
    {
      "name": "CVE-2024-45296",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
    },
    {
      "name": "CVE-2025-25290",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25290"
    },
    {
      "name": "CVE-2024-45337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
    },
    {
      "name": "CVE-2024-39908",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39908"
    },
    {
      "name": "CVE-2021-47495",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-47495"
    },
    {
      "name": "CVE-2024-41946",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41946"
    },
    {
      "name": "CVE-2023-52832",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52832"
    },
    {
      "name": "CVE-2024-41110",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41110"
    },
    {
      "name": "CVE-2024-27281",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27281"
    },
    {
      "name": "CVE-2024-52798",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52798"
    },
    {
      "name": "CVE-2023-43804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
    },
    {
      "name": "CVE-2024-6484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6484"
    },
    {
      "name": "CVE-2020-13844",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13844"
    },
    {
      "name": "CVE-2024-26776",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26776"
    },
    {
      "name": "CVE-2024-6485",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6485"
    },
    {
      "name": "CVE-2024-41762",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41762"
    },
    {
      "name": "CVE-2024-39494",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39494"
    },
    {
      "name": "CVE-2025-23184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23184"
    },
    {
      "name": "CVE-2024-6119",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-6119"
    },
    {
      "name": "CVE-2021-4204",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4204"
    },
    {
      "name": "CVE-2024-26843",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-26843"
    },
    {
      "name": "CVE-2024-40679",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-40679"
    },
    {
      "name": "CVE-2023-52885",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52885"
    },
    {
      "name": "CVE-2018-20225",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-20225"
    },
    {
      "name": "CVE-2019-11253",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11253"
    },
    {
      "name": "CVE-2023-52898",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52898"
    },
    {
      "name": "CVE-2025-25289",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-25289"
    },
    {
      "name": "CVE-2024-45663",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45663"
    },
    {
      "name": "CVE-2023-52467",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-52467"
    },
    {
      "name": "CVE-2024-41123",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41123"
    },
    {
      "name": "CVE-2024-36620",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-36620"
    },
    {
      "name": "CVE-2022-48706",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-48706"
    },
    {
      "name": "CVE-2024-49761",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-49761"
    }
  ],
  "initial_release_date": "2025-04-04T00:00:00",
  "last_revision_date": "2025-04-04T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0279",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-04-04T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2025-04-03",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7230024",
      "url": "https://www.ibm.com/support/pages/node/7230024"
    },
    {
      "published_at": "2025-04-01",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229770",
      "url": "https://www.ibm.com/support/pages/node/7229770"
    },
    {
      "published_at": "2025-03-28",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229443",
      "url": "https://www.ibm.com/support/pages/node/7229443"
    },
    {
      "published_at": "2025-04-01",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229768",
      "url": "https://www.ibm.com/support/pages/node/7229768"
    },
    {
      "published_at": "2025-04-01",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7229772",
      "url": "https://www.ibm.com/support/pages/node/7229772"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-36620 (GCVE-0-2024-36620)

GHSA-Q59J-VV4J-V33C

CVE-2024-36620

FKIE_CVE-2024-36620

CERTFR-2025-AVI-0279

Solutions

Tags

Sightings

Nomenclature