Dozzle, Authorization Bypass (Critical)

Listen to this Post

The vulnerability exists in Dozzle’s agent-backed shell endpoints (/api/hosts/{hostId}/containers/{containerId}/exec and /attach). When using SIMPLE authentication with per-user label filters (e.g., filter: label=env=dev), the UI correctly hides out-of-scope containers. However, the `FindContainer` function in `agent_service.go` for agent-connected hosts ignores the user’s label filter when resolving a container by its ID. It calls a.client.FindContainer(ctx, id), which bypasses all label checks. An authenticated user with the Shell role can therefore directly target the ID of a restricted container (e.g., env=prod) via the WebSocket endpoint, obtaining an interactive root shell despite the UI-based isolation. The underlying Docker client’s `FindContainer` method explicitly skips filters, creating an authorization bypass between the list and exec/attach operations.

dailycve

Platform: Dozzle
Version: <=9.0.2
Vulnerability: Authorization Bypass
Severity: Critical
date: N/A

Prediction: 2024-04-10

What Undercode Say:

docker run -d --name dozzle-agent -v /var/run/docker.sock:/var/run/docker.sock:ro -p 7007:7007 amir20/dozzle:latest agent
docker run -d --name prod-secret --label env=prod alpine sleep 100000
wscat -c "ws://localhost:8080/api/hosts/${HOST_ID}/containers/${PROD_CID}/exec" -H "Cookie: jwt=${TOKEN}"

How Exploit:

1. Authenticate as a filtered user.

2. Obtain target container ID.

3. Connect directly to agent exec endpoint.

Protection from this CVE

Upgrade to version 9.0.3.

Impact:

Root shell access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top