Vvoland
·
Published
2025-07-29
·
Updated
2025-07-30
·
CVE-2025-54388
5.1
Medium
| Base vector | Vector | AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Moby versions 28.2.0 through 28.3.2
Description:
Moby is an open source container framework developed by Docker Inc. When the firewalld service is reloaded, it removes all iptables rules, including those created by Docker. In affected versions, Docker fails to recreate the specific rules that block external access to containers. This allows remote machines with network routing to the Docker bridge to access containers with ports published to localhost, even though they should only be accessible from the host. The vulnerability only affects explicitly published ports; unpublished ports remain protected.
Recommendations:
Moby versions 28.2.0 through 28.3.2: Upgrade to version 28.3.3 or later.
As a workaround, restart the docker daemon after reloading firewalld.
As a workaround, re-create bridge networks after reloading firewalld.
As a workaround, use rootless mode.
Fix