{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-36620", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-12-04T17:14:27.602Z", "dateReserved": "2024-05-30T00:00:00", "datePublished": "2024-11-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-11-29T18:08:02.249695"}, "descriptions": [{"lang": "en", "value": "moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4"}, {"url": "https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48"}, {"url": "https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-476", "lang": "en", "description": "CWE-476 NULL Pointer Dereference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-12-04T17:14:00.947934Z", "id": "CVE-2024-36620", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-04T17:14:27.602Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-36620", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-12-04T17:14:27.602Z", "dateReserved": "2024-05-30T00:00:00", "datePublished": "2024-11-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-11-29T18:08:02.249695"}, "descriptions": [{"lang": "en", "value": "moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4"}, {"url": "https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48"}, {"url": "https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-36620", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-04T17:14:00.947934Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-04T17:14:23.516Z"}}]}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A984EDF-4820-4533-9A3C-18012D41AA41", "versionEndIncluding": "26.0.2", "versionStartIncluding": "25.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go."}, {"lang": "es", "value": "moby v25.0.0 - v26.0.2 es vulnerable a la desreferencia de puntero NULL a trav\u00e9s de daemon/images/image_history.go."}], "id": "CVE-2024-36620", "lastModified": "2025-09-05T13:58:04.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-29T18:15:07.787", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2"}, {"source": "[email protected]", "tags": ["Product"], "url": "https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3301", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-agent-installer-api-server-rhel9:v4.16.0-202503121138.p0.gef6fa80.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:1703", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-agent-installer-api-server-rhel9:v4.17.0-202502172135.p0.g9145aec.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-02-26T00:00:00Z"}], "bugzilla": {"description": "github.com/moby/moby: NULL Pointer Dereference in Moby", "id": "2329534", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2329534"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-476", "details": ["moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.", "A flaw was found in Moby. This vulnerability allows an attacker to cause a NULL pointer dereference, potentially leading to a denial of service via improper handling in the image history functionality."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-36620", "package_state": [{"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/agent-service-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-8-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-9-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-service-mesh/istio-rhel8-operator", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Not affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Not affected", "package_name": "rhceph/rhceph-6-dashboard-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Not affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2024-11-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36620\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36620\nhttps://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2\nhttps://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48\nhttps://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4"], "threat_severity": "Moderate"}