CVE Vulnerabilities

CVE-2024-24760

Externally Controlled Reference to a Resource in Another Sphere

Published: Feb 02, 2024 | Modified: Feb 10, 2024
CVSS 3.x
7.3
HIGH
Source:
NVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not br-mailcow and the output interface is br-mailcow.

Weakness

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Affected Software

Name Vendor Start Version End Version
Mailcow:_dockerized Mailcow * *

References