GHSA-rc4r-wh2q-q6c4 · Severity: medium · Ecosystem: go — Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
Conclusion & alert: CVE-2022-36109 is rated Low Risk (24/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.03%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-03-04 | 0.05% | 0.03% | -0.02% |
| 2 | 2026-03-01 | 0.03% | 0.05% | +0.02% |
| 3 | 2026-02-04 | — | 0.03% | — |
Full EPSS history (19 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 3.1 | MEDIUM |
|
1.8 | 3.4 | [email protected] |
| 6.3 | 3.1 | MEDIUM |
|
2.8 | 3.4 | [email protected] |
GHSA-rc4r-wh2q-q6c4 · Severity: medium · Ecosystem: go — Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2022-36109: 1 source package rows (docker); 7 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 7, open 0. | https://security.alpinelinux.org/vuln/CVE-2022-36109 |
debian
|
not yet assigned | CVE-2022-36109 not yet assigned priority: Debian including 1 source packages (docker.io), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1. | https://security-tracker.debian.org/tracker/CVE-2022-36109 |
gentoo
|
low | CVE-2022-36109: 1 GLSA(s) (202409-29), 1 atom(s) (app-containers/docker); latest impact low. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2022-36109 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2022-36109 |
suse
|
medium | — | https://www.suse.com/security/cve/CVE-2022-36109/ |
ubuntu
|
medium | CVE-2022-36109 medium priority: Ubuntu including 1 source packages (docker.io), 13 status rows across 13 suites (bionic, focal, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 6, released 4, ignored 2, needed 1. | https://ubuntu.com/security/CVE-2022-36109 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| mobyproject | moby | < 20.10.18 | cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 36 | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* |
| fedoraproject | fedora | 37 | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |