CVE-2024-24557
Local File Manipulation vulnerability in docker (Go)
What is CVE-2024-24557 About?
JSDom improperly allows the loading of local resources, which could lead to local file manipulation. This vulnerability is possible when script execution is enabled and a malicious web page is accessed. The advisory was withdrawn because JSDom requires specific user configuration to allow local file access.
Affected Software
- github.com/docker/docker
- <24.0.9
- <24.0.9+incompatible
- >25.0.0, <25.0.2
- github.com/moby/moby
- <24.0.9
- <24.0.9+incompatible
- >25.0.0, <25.0.2
Technical Details
The original advisory for JSDom indicated that it improperly allowed the loading of local resources. This flaw would enable a malicious web page, when script execution is enabled in JSDom, to manipulate local files on the system running JSDom. The mechanism would involve the attacker crafting a web page that, when rendered or processed by JSDom, could access and potentially alter local system files outside its intended sandbox. The advisory was later withdrawn because this behavior only occurs if the user explicitly configures JSDom to allow access to local files, which is not the default or recommended setting.
What is the Impact of CVE-2024-24557?
Successful exploitation may allow attackers to read, modify, or delete local files on the system where JSDom is running, potentially leading to information disclosure, data corruption, or further system compromise.
What is the Exploitability of CVE-2024-24557?
Exploitation of this vulnerability is highly specific and depends on a non-default configuration of JSDom. It requires the user to explicitly configure JSDom to allow access to local files. Given this precondition, the complexity of exploitation is high. An attacker would need to craft a malicious web page, which would then need to be processed by a JSDom instance configured to permit local file access and with script execution enabled. This is typically a local attack scenario or one requiring significant user interaction and misconfiguration. No specific authentication or privilege requirements are associated with the vulnerability itself, but the act of configuring JSDom in this insecure manner might require administrative privileges. Remote exploitation would likely involve convincing a victim to process a malicious web page through their specially configured JSDom environment. The special constraint is the non-default user configuration being in place.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-24557?
Available Upgrade Options
- github.com/moby/moby
- <24.0.9+incompatible → Upgrade to 24.0.9+incompatible
- github.com/moby/moby
- <24.0.9 → Upgrade to 24.0.9
- github.com/moby/moby
- >25.0.0, <25.0.2 → Upgrade to 25.0.2
- github.com/docker/docker
- <24.0.9+incompatible → Upgrade to 24.0.9+incompatible
- github.com/docker/docker
- <24.0.9 → Upgrade to 24.0.9
- github.com/docker/docker
- >25.0.0, <25.0.2 → Upgrade to 25.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae
- https://osv.dev/vulnerability/GO-2024-2512
- https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc
- https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd
- https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae
- https://github.com/moby/moby
- https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae
- https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff
- https://github.com/moby/moby/commit/fca702de7f71362c8d103073c7e4a1d0a467fadd
- https://github.com/moby/moby/commit/fce6e0ca9bc000888de3daa157af14fa41fcd0ff
What are Similar Vulnerabilities to CVE-2024-24557?
Similar Vulnerabilities: CVE-2023-46830 , CVE-2023-38038 , CVE-2023-45136 , CVE-2023-45803 , CVE-2023-43306
