CVE-2023-40453: Improper Neutralization of Escape, Meta, or Control Sequences

November 7, 2023 (updated November 14, 2023)

Docker Machine through 0.16.2 allows an attacker, who has control of a worker node, to provide crafted version data, which might potentially trick an administrator into performing an unsafe action (via escape sequence injection), or might have a data size that causes a denial of service to a bastion node. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

github.com/docker/machine/releases
hackerone.com/reports/1916285
nvd.nist.gov/vuln/detail/CVE-2023-40453
vin01.github.io/piptagole/docker/security/gitlab/docker-machine/2023/07/07/docker-machine-attack-surface.html

Detect and mitigate CVE-2023-40453 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →