Nobody checked outsized requests
Whereas the earlier authorization bypass was triggered when request Content material-Size was set to 0, nobody checked on the time what would occur in the identical perform if the request exceeded a sure dimension.
“When an API request physique exceeds 1MB, Docker’s middleware silently drops the physique earlier than your authorization plugin sees it,” the Cyera researchers discovered. “The plugin, seeing nothing to examine, approves the request. The Docker daemon then processes the total physique and creates the requested container, doubtlessly granting full host filesystem entry.”
That is basically the identical bug class with the identical root trigger, however utilizing 1MB request padding as a substitute of zero size. As a result of the AuthZ plug-in doesn’t get to examine and block the request, this implies attackers would have entry to all Docker Engine instructions, together with the flexibility to create privileged containers with root entry.
