No one checked oversized requests
While the previous authorization bypass was triggered when request Content-Length was set to 0, no one checked at the time what would happen in the same function if the request exceeded a certain size.
“When an API request body exceeds 1MB, Docker’s middleware silently drops the body before your authorization plugin sees it,” the Cyera researchers found. “The plugin, seeing nothing to inspect, approves the request. The Docker daemon then processes the full body and creates the requested container, potentially granting full host filesystem access.”
This is essentially the same bug class with the same root cause, but using 1MB request padding instead of zero length. Because the AuthZ plug-in doesn’t get to inspect and block the request, this means attackers would have access to all Docker Engine commands, including the ability to create privileged containers with root access.
