Docker Engine 28.2 < 28.3.3 Local Docker Ports Exposed to Network

medium Nessus Plugin ID 243284

Synopsis

The remote host has an application installed that is affected by a vulnerability that exposes local ports to the network.

Description

The version of the Docker Engine (Moby) installed on the remote host is between 28.2.0 to 28.3.2 It is therefore affected by an vulnerability that exposes local ports to the network. When the firewalld service is reloaded it removes all iptables rules including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block external access to containers. This means that after a firewalld reload, containers with ports published to localhost (like 127.0.0.1:8080) become accessible from remote machines that have network routing to the Docker bridge, even though they should only be accessible from the host itself. The vulnerability only affects explicitly published ports - unpublished ports remain protected. This issue is fixed in version 28.3.3.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Docker Engine version 28.3.3 or later

See Also

https://github.com/advisories/GHSA-x4rx-4gw3-53p4

Plugin Details

Severity: Medium

ID: 243284

File Name: docker_cve-2025-54388.nasl

Version: 1.1

Type: local

Agent: unix

Family: Misc.

Published: 8/1/2025

Updated: 8/1/2025

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: Medium

Base Score: 4.1

Vector: CVSS2#AV:A/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2025-54388

CVSS v3

Risk Factor: Medium

Base Score: 4.6

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Threat Score: 1.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

CPE: cpe:/a:docker:docker

Required KB Items: installed_sw/Docker

Patch Publication Date: 7/29/2025

Vulnerability Publication Date: 7/29/2025

Reference Information

CVE: CVE-2025-54388

IAVA: 2025-A-0560