CVE-2018-12608: Docker Authentication Bypass

January 31, 2024 (updated July 8, 2024)

An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.

References

github.com/advisories/GHSA-qrqr-3x5j-2xw9
github.com/moby/moby
github.com/moby/moby/commit/190c6e8cf8b893874a33d83f78307f1bed0bfbcd
github.com/moby/moby/issues/33173
github.com/moby/moby/pull/33182
nvd.nist.gov/vuln/detail/CVE-2018-12608

Code Behaviors & Features

Detect and mitigate CVE-2018-12608 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →