Home > Vulnerability Database > WS-2022-0389

Mend.io Vulnerability Database

WS-2022-0389

Date: August 19, 2025

In Moby prior to 20.10.20, a container build can leak any path on the host into the container. Versions of Git where CVE-2022-39253 is present and exploited by a malicious repository, when used in combination with Moby, are subject to an unexpected inclusion of arbitrary filesystem paths in the build context, without any visible warning to the user. As this issue cannot be triggered remotely, except by users who already have full control over the daemon through the API, and it requires exploiting a vulnerability in Git by convincing a user to build a maliciously crafted repository, the impact in Moby is considered low.

Language: Go

Severity Score

5.4

Related Resources (7)

Url: https://github.com/moby/moby/commit/c0d1188c146e793a8a98f3a4105f73c66e662b0a

Url: https://github.com/moby/moby/security/advisories/GHSA-vp35-85q5-9f25

Url: https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u

Url: https://github.com/moby/moby/releases/tag/v20.10.20

Url: https://github.com/moby/moby

Url: https://github.blog/2022-10-17-git-security-vulnerabilities-announced

Url: https://www.mend.io/vulnerability-database/WS-2022-0389

Severity Score

5.4

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2022-0389

Date: August 19, 2025

Language: Go

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?