Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit f36a8f1f5e3b · 2026-03-27T17:40:03.000Z
GHSA-4vq8-7jfc-9cvp GHSA-pxq6-2prw-chj9
diff --git a/advisories/github-reviewed/2025/07/GHSA-4vq8-7jfc-9cvp/GHSA-4vq8-7jfc-9cvp.json b/advisories/github-reviewed/2025/07/GHSA-4vq8-7jfc-9cvp/GHSA-4vq8-7jfc-9cvp.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4vq8-7jfc-9cvp",
-  "modified": "2025-12-20T03:14:48Z",
+  "modified": "2026-03-27T17:37:52Z",
   "published": "2025-07-29T19:56:25Z",
   "aliases": [
     "CVE-2025-54410"
@@ -28,11 +28,14 @@
               "introduced": "0"
             },
             {
-              "last_affected": "25.0.12"
+              "fixed": "25.0.13"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 25.0.12"
+      }
     },
     {
       "package": {
diff --git a/advisories/github-reviewed/2026/03/GHSA-pxq6-2prw-chj9/GHSA-pxq6-2prw-chj9.json b/advisories/github-reviewed/2026/03/GHSA-pxq6-2prw-chj9/GHSA-pxq6-2prw-chj9.json
@@ -0,0 +1,107 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pxq6-2prw-chj9",
+  "modified": "2026-03-27T17:38:09Z",
+  "published": "2026-03-27T17:38:09Z",
+  "aliases": [
+    "CVE-2026-33997"
+  ],
+  "summary": "Moby has an Off-by-one error in its plugin privilege validation",
+  "details": "## Summary\n\nA security vulnerability has been detected that allows [plugins](https://docs.docker.com/engine/extend/legacy_plugins/) privilege validation to be bypassed during `docker plugin install`. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user.\n\nPlugins that request exactly one privilege are also affected, because no comparison is performed at all.\n\n## Impact\n\n**If plugins are not in use, there is no impact.**\n\nWhen a plugin is installed, the daemon computes the privileges required by the plugin's configuration and compares them with the privileges approved during installation. A malicious plugin can exploit this bug so that the daemon accepts privileges that differ from what was intended to be approved.\n\nAnyone who depends on the plugin installation approval flow as a meaningful security boundary is potentially impacted.\n\nDepending on the privilege set involved, this may include highly sensitive plugin permissions such as broad device access.\n\n**For consideration: exploitation still requires a plugin to be installed from a malicious source, and Docker plugins are relatively uncommon. Docker Desktop also does not support plugins.**\n\n## Workarounds\n\nIf unable to update immediately:\n- Do not install plugins from untrusted sources\n- Carefully review all privileges requested during `docker plugin install`\n- Restrict access to the Docker daemon to trusted parties, following the principle of least privilege\n- Avoid relying on plugin privilege approval as the only control boundary for sensitive environments\n\n## Credits\n\n- Reported by Cody (c@wormhole.guru, PGP 0x9FA5B73E)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/docker/docker"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 29.3.1"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/moby/moby/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.0-beta.7.0.20260325113954-f4d6f25bf0c3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/moby/moby"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 29.3.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/moby/moby/security/advisories/GHSA-pxq6-2prw-chj9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/moby/moby/commit/f4d6f25bf0c3fa12d4968320a45685947756a22a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.docker.com/engine/extend/legacy_plugins"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/moby/moby"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/moby/moby/releases/tag/docker-v29.3.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-193"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T17:38:09Z",
+    "nvd_published_at": null
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-4vq8-7jfc-9cvp",`
`4`		`- "modified": "2025-12-20T03:14:48Z",`
	`4`	`+ "modified": "2026-03-27T17:37:52Z",`
`5`	`5`	`"published": "2025-07-29T19:56:25Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-54410"`
`@@ -28,11 +28,14 @@`
`28`	`28`	`"introduced": "0"`
`29`	`29`	`},`
`30`	`30`	`{`
`31`		`- "last_affected": "25.0.12"`
	`31`	`+ "fixed": "25.0.13"`
`32`	`32`	`}`
`33`	`33`	`]`
`34`	`34`	`}`
`35`		`- ]`
	`35`	`+ ],`
	`36`	`+ "database_specific": {`
	`37`	`+ "last_known_affected_version_range": "<= 25.0.12"`
	`38`	`+ }`
`36`	`39`	`},`
`37`	`40`	`{`
`38`	`41`	`"package": {`