CVE-2018-12608

An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.

Published: Sep 10, 2018
Updated: May 4, 2025
CVE: CVE-2018-12608
GHSA: GHSA-qrqr-3x5j-2xw9
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-288
CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
mobyproject / moby	-	17.06.0
github.com/docker/docker	-	17.06.0-ce

https://github.com/moby/moby/commit/190c6e8cf8b893874a33d83f78307f1bed0bfbcd
https://github.com/moby/moby/issues/33173
https://github.com/moby/moby/pull/33182

Vulnerability Database

CVE-2018-12608

Deep Security Visibility Without the Complexity