x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-gh5c-3h97-2f3q

[GoVulnBot]

Advisory GHSA-gh5c-3h97-2f3q references a vulnerability in the following Go modules:

Module
github.com/moby/moby

Description:
moby v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.

References:

• ADVISORY: GHSA-gh5c-3h97-2f3q
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-36623
• FIX: moby/moby@5689dab
• WEB: https://gist.github.com/1047524396/c192c0159a19bf58a4373b696467dc29
• WEB: https://github.com/moby/moby/blob/v25.0.3/pkg/streamformatter/streamformatter.go#L115

Cross references:

• github.com/moby/moby appears in 14 other report(s):
  • data/excluded/GO-2023-2199.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2017-16539 #2199) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2207.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-10892 #2207) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2209.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-12608 #2209) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2212.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-15664 #2212) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2236.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2019-13139 #2236) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2316.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21284 #2316) LEGACY_FALSE_POSITIVE
  • data/excluded/GO-2023-2317.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21285 #2317) LEGACY_FALSE_POSITIVE
  • data/reports/GO-2022-0390.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-24769 #390)
  • data/reports/GO-2024-2500.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-3fwx-pjgw-3558 #2500)
  • data/reports/GO-2024-2512.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-24557 #2512)
  • data/reports/GO-2024-2521.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v2cv-wwxq-qq97 #2521)
  • data/reports/GO-2024-2913.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4 #2913)
  • data/reports/GO-2024-2914.yaml (x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-xmmx-7jpf-fx42 #2914)
  • data/reports/GO-2024-3005.yaml (x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-41110 #3005)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/moby/moby
      versions:
        - fixed: 26.0.0+incompatible
      vulnerable_at: 26.0.0-rc3+incompatible
summary: Moby Race Condition vulnerability in github.com/moby/moby
cves:
    - CVE-2024-36623
ghsas:
    - GHSA-gh5c-3h97-2f3q
references:
    - advisory: https://github.com/advisories/GHSA-gh5c-3h97-2f3q
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-36623
    - fix: https://github.com/moby/moby/commit/5689dabfb357b673abdb4391eef426f297d7d1bb
    - web: https://gist.github.com/1047524396/c192c0159a19bf58a4373b696467dc29
    - web: https://github.com/moby/moby/blob/v25.0.3/pkg/streamformatter/streamformatter.go#L115
source:
    id: GHSA-gh5c-3h97-2f3q
    created: 2024-12-02T22:01:48.928445439Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/633598 mentions this issue: data/reports: add 6 unreviewed reports