Details of VAR-202006-0429

ID

VAR-202006-0429

CVE

CVE-2020-13401

TITLE

Docker Engine Input verification vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-005933

DESCRIPTION

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service. Docker Engine There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202008-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Docker: Information disclosure Date: August 26, 2020 Bugs: #729208 ID: 202008-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A flaw in Docker allowed possible information leakage. Background ========== Docker is the world’s leading software containerization platform. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/docker < 19.03.12 >= 19.03.12 Description =========== It was found that Docker created network bridges which by default accept IPv6 router advertisements. Workaround ========== There is no known workaround at this time. Resolution ========== All Docker users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/docker-19.03.12" References ========== [ 1 ] CVE-2020-13401 https://nvd.nist.gov/vuln/detail/CVE-2020-13401 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202008-15 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . For the stable distribution (buster), this problem has been fixed in version 18.09.1+dfsg1-7.1+deb10u2. We recommend that you upgrade your docker.io packages. For the detailed security status of docker.io please refer to its security tracker page at: https://security-tracker.debian.org/tracker/docker.io Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl7+KBwACgkQEMKTtsN8 TjbyYBAAg+O+0IgB1qBQyB11lKb7t0MGrqo35/MOnYgQK8jbcqBGPQ0eDAfU9z7R C7ixPlMZvu90S+pXNonfOTCwZQ+UrlSzM6wc2HNI2mjp+BId0rpPtxIqr1hcDNGz IAu+hqxFEZhTu6+olK5qyXCRbz38d2Kg/8uS8YznO6IEvhcAjygnSGRR9EfsaC4R jYMD3tJ8vUgEkJRZmZucicCswqC8WczN8a6fHH6Glbs3eIT2vlFINhFZM8PWQ4E/ vtjf8+JPkfrTe7Y2/SMnBkE082gS1/WjYrKXj8RAMJ2M2Y61O9RdGX+wD3NOwjS0 /6PVf2T9+/QbNAQrQFGcnw3uvsSbSiFgaFGhGuI+DJ6yJfrgXSO1Iis9wrCZ0DlK MLJrDP+u+ZQm7U6GNYNiwBnHocl9s4cYNhTj5QaEM76O51Wt2MVuj4t777W9Zdp9 Jt1lFwHJb1KHizYSxySEp3AJcAcSXv89JA2dxtSdEZGojaPoXouRfXqvybWNu2hP wvpWqYeRHlXw32kpq7xrb1uEMkMBlkh6O/d8JeNpFI/Hd3Cl610JbGIYLhTK5A9w m5q4nGADFF0SDEFQmZEVKFJNIlIQKX7MspdAc7nPBfGWQ8Xhttx4Vag0z6HvSxDS ST2wwG0W5O4NNjr3ibdm6JpEgGcZjWDPgqFSH5UkKgDC712SyUc= =vIL3 -----END PGP SIGNATURE-----

Trust: 1.89

sources: NVD: CVE-2020-13401 // JVNDB: JVNDB-2020-005933 // VULMON: CVE-2020-13401 // PACKETSTORM: 158980 // PACKETSTORM: 168872

AFFECTED PRODUCTS

vendor:	broadcom	model:	sannav	scope:	eq	version:	-	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	32	Trust: 1.0
vendor:	fedoraproject	model:	fedora	scope:	eq	version:	31	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	docker	model:	engine	scope:	lt	version:	19.03.11	Trust: 1.0
vendor:	docker	model:	engine	scope:	eq	version:	19.03.11	Trust: 0.8

sources: JVNDB: JVNDB-2020-005933 // NVD: CVE-2020-13401

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-13401
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-005933
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202006-073
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2020-13401
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-13401
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	JVNDB-2020-005933
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

nvd@nist.gov:	CVE-2020-13401
baseSeverity:	MEDIUM
baseScore:	6.0
vectorString:	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.8
impactScore:	3.7
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-005933
baseSeverity:	MEDIUM
baseScore:	6.0
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2020-13401 // JVNDB: JVNDB-2020-005933 // CNNVD: CNNVD-202006-073 // NVD: CVE-2020-13401

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2020-005933 // NVD: CVE-2020-13401

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-073

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202006-073

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-005933

PATCH

title:	Docker Engine release notes	url:	https://docs.docker.com/engine/release-notes/	Trust: 0.8
title:	19.03.11	url:	https://github.com/docker/docker-ce/releases/tag/v19.03.11	Trust: 0.8
title:	Docker Engine Enter the fix for the verification error vulnerability	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=121128	Trust: 0.6
title:	Debian CVElist Bug Report Logs: docker.io: CVE-2020-13401	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=087e69ea0b29836f02749d216abff19f	Trust: 0.1
title:	Debian Security Advisories: DSA-4716-1 docker.io -- security update	url:	https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=ce0915ae3e47fbdac9f83db65fc23697	Trust: 0.1
title:	Amazon Linux AMI: ALAS-2020-1376	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1376	Trust: 0.1
title:	Amazon Linux 2: ALAS2DOCKER-2021-002	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2DOCKER-2021-002	Trust: 0.1
title:	Amazon Linux 2: ALAS2NITRO-ENCLAVES-2021-002	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2NITRO-ENCLAVES-2021-002	Trust: 0.1
title:	CVE-2020-13401 Study	url:	https://github.com/mmzaeimi/CVE-2020-13401	Trust: 0.1
title:	CVE-2020-13401 Study	url:	https://github.com/mmzaeimi/Docker-Container-CVE-2020-13401	Trust: 0.1
title:	Awesome Cloud Native Security 🐿	url:	https://github.com/reni2study/Cloud-Native-Security2	Trust: 0.1
title:	Awesome Cloud Native Security 🐿	url:	https://github.com/atesemre/awesome-cloud-native-security	Trust: 0.1
title:	Awesome Cloud Native Security 🐿	url:	https://github.com/brant-ruan/awesome-cloud-native-security	Trust: 0.1
title:	Awesome Cloud Native Security 🐿	url:	https://github.com/Metarget/awesome-cloud-native-security	Trust: 0.1
title:	PoC in GitHub	url:	https://github.com/soosmile/POC	Trust: 0.1

sources: VULMON: CVE-2020-13401 // JVNDB: JVNDB-2020-005933 // CNNVD: CNNVD-202006-073

EXTERNAL IDS

db:	NVD	id:	CVE-2020-13401	Trust: 2.7
db:	OPENWALL	id:	OSS-SECURITY/2020/06/01/5	Trust: 1.7
db:	JVNDB	id:	JVNDB-2020-005933	Trust: 0.8
db:	PACKETSTORM	id:	158980	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.2291	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2455	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-073	Trust: 0.6
db:	VULMON	id:	CVE-2020-13401	Trust: 0.1
db:	PACKETSTORM	id:	168872	Trust: 0.1

sources: VULMON: CVE-2020-13401 // JVNDB: JVNDB-2020-005933 // PACKETSTORM: 158980 // PACKETSTORM: 168872 // CNNVD: CNNVD-202006-073 // NVD: CVE-2020-13401

REFERENCES

url:	https://www.debian.org/security/2020/dsa-4716	Trust: 1.8
url:	https://security.gentoo.org/glsa/202008-15	Trust: 1.8
url:	https://docs.docker.com/engine/release-notes/	Trust: 1.7
url:	http://www.openwall.com/lists/oss-security/2020/06/01/5	Trust: 1.7
url:	https://github.com/docker/docker-ce/releases/tag/v19.03.11	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00040.html	Trust: 1.7
url:	https://security.netapp.com/advisory/ntap-20200717-0002/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13401	Trust: 1.6
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/dn4jqaoxbe3xunk3fd423lhe3k74emjt/	Trust: 1.1
url:	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/kjzlkrcojmoguiji2as27bozs3rbef3k/	Trust: 1.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-13401	Trust: 0.8
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/kjzlkrcojmoguiji2as27bozs3rbef3k/	Trust: 0.6
url:	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/dn4jqaoxbe3xunk3fd423lhe3k74emjt/	Trust: 0.6
url:	https://packetstormsecurity.com/files/158980/gentoo-linux-security-advisory-202008-15.html	Trust: 0.6
url:	https://www.ibm.com/support/pages/node/6455281	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-docker-affects-ibm-infosphere-information-server/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2291/	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-spectrum-discover-has-addressed-multiple-security-vulnerabilities-cve-2020-13401-cve-2019-20372-2/	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-a-docker-vulnerability-cve-2020-13401/	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-docker-affects-cloud-pak-sytem-cve-2020-13401/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2455/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/docker-engine-man-in-the-middle-via-ipv6-router-advertisement-32394	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2020-13401	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-docker-vulnerability-affects-ibm-spectrum-protect-plus-cve-2020-13401/	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-6/	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-4/	Trust: 0.6
url:	https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-5/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962141	Trust: 0.1
url:	https://github.com/mmzaeimi/cve-2020-13401	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://www.debian.org/security/	Trust: 0.1
url:	https://security-tracker.debian.org/tracker/docker.io	Trust: 0.1
url:	https://www.debian.org/security/faq	Trust: 0.1

sources: VULMON: CVE-2020-13401 // JVNDB: JVNDB-2020-005933 // PACKETSTORM: 158980 // PACKETSTORM: 168872 // CNNVD: CNNVD-202006-073 // NVD: CVE-2020-13401

CREDITS

Gentoo

Trust: 0.7

sources: PACKETSTORM: 158980 // CNNVD: CNNVD-202006-073

SOURCES

db:	VULMON	id:	CVE-2020-13401
db:	JVNDB	id:	JVNDB-2020-005933
db:	PACKETSTORM	id:	158980
db:	PACKETSTORM	id:	168872
db:	CNNVD	id:	CNNVD-202006-073
db:	NVD	id:	CVE-2020-13401

LAST UPDATE DATE

2024-11-23T23:01:22.258000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2020-13401	date:	2023-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2020-005933	date:	2020-06-25T00:00:00
db:	CNNVD	id:	CNNVD-202006-073	date:	2023-03-02T00:00:00
db:	NVD	id:	CVE-2020-13401	date:	2024-11-21T05:01:11.040

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2020-13401	date:	2020-06-02T00:00:00
db:	JVNDB	id:	JVNDB-2020-005933	date:	2020-06-25T00:00:00
db:	PACKETSTORM	id:	158980	date:	2020-08-27T15:24:35
db:	PACKETSTORM	id:	168872	date:	2020-07-28T19:12:00
db:	CNNVD	id:	CNNVD-202006-073	date:	2020-06-01T00:00:00
db:	NVD	id:	CVE-2020-13401	date:	2020-06-02T14:15:10.770