Alpine: multiple docker packages: security update to 20.10.18-r0

medium Tenable Self-Hosted Container Security Plugin ID 404106

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Moby is an open-source project created by Docker to enable software containerization. A bug was found in
Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access
to a container and manipulates their supplementary group access, they may be able to use supplementary
group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive
information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker
Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For
users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile
instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up
properly. (CVE-2022-36109)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-36109

Plugin Details

Severity: Medium

ID: 404106

Version: Revision 1.33

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.8

Percentile: 22.6

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2022-36109

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/9/2022

Reference Information

CVE: CVE-2022-36109