Detections
Analytics

Dockerfile Detected

medium Web App Scanning Plugin ID 113123

Language:

Synopsis

Dockerfile Detected

Description

Docker is one of the most popular platform using virtualization at the operating system level to deliver software in packages called containers. To take advantage of cloud based infrastructures, developers often build their applications on top of the microservices architecture pattern with one or multiple Docker containers, helping them to quickly build and deploy it to various environments.

Docker containers are based on a `Dockerfile` file describing the different steps to build the application and containing sometimes hardcoded secrets or other sensitive information. By accessing an exposed `Dockerfile`, an attacker could leverage the vulnerability to gain unauthorized access to one or multiple web application components.

Solution

Ensure that the `Dockerfile` file is not deployed with the application or, at least, is not exposed in a web server directory by setting proper permissions on it. Note that application secrets should not be directly defined in the `Dockerfile` file and should instead rely on Docker secrets management best practices.

See Also

https://docs.docker.com/engine/reference/builder/

https://www.docker.com/

Plugin Details

Severity: Medium

ID: 113123

Type: remote

Published: 1/21/2022

Updated: 1/21/2022

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information