Wiz
Vulnerability DatabaseCVE-2023-28841

CVE-2023-28841
Docker vulnerability analysis and mitigation

Overview

CVE-2023-28841 affects Moby, an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects. The vulnerability was discovered in April 2023 and affects versions from 1.12.0 up to (excluding) 20.10.24 and versions from 23.0.0 up to (excluding) 23.0.3. The issue specifically impacts the encrypted overlay network functionality in Swarm Mode, which is a built-in container orchestrator feature (Moby Advisory).

Technical details

The vulnerability occurs in the overlay network driver's encrypted mode implementation. When setting up an encrypted overlay network endpoint, Moby installs iptables rules that rely on the u32 extension (provided by xtu32 kernel module) to filter VXLAN packet's VNI field. An iptables rule designates outgoing VXLAN datagrams with a VNI for IPsec encapsulation. However, on systems where the xtu32 module is unavailable (such as RHEL 8.3+ and RHEL 9), these rules are not created, even though the container remains attached to the network (Moby Advisory). The vulnerability has a CVSS v3.1 base score of 6.8 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N (NVD).

Impact

When exploited, encrypted overlay networks on affected platforms silently transmit unencrypted data. The networks may appear to be functional and pass traffic as expected, but without the intended confidentiality or data integrity guarantees. An attacker in a trusted network position can potentially read all application traffic moving across the overlay network, leading to unauthorized disclosure of secrets or user data. This is particularly concerning for database protocols and internal APIs that may not have additional encryption layers (Moby Advisory).

Mitigation and workarounds

Official patches are available in Moby releases 23.0.3 and 20.10.24, while Mirantis Container Runtime users should update to version 20.10.16. For those unable to update immediately, two workarounds are available: 1) Close the VXLAN port (UDP port 4789) to outgoing traffic at the Internet boundary to prevent unintentionally leaking unencrypted traffic over the Internet, and/or 2) Ensure that the xt_u32 kernel module is available on all nodes of the Swarm cluster (Moby Advisory).

Additional resources

SourceThis report was generated using AI

Related Docker vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-61729HIGH7.5
  • cAdvisorcAdvisor
  • opentelemetry-operator
NoYesDec 02, 2025
CVE-2025-52881HIGH7.3
  • cAdvisorcAdvisor
  • podman-remote
NoYesNov 06, 2025
CVE-2025-61727MEDIUM6.5
  • cAdvisorcAdvisor
  • crossplane-function-environment-configs-fips
NoYesDec 03, 2025
CVE-2025-58181MEDIUM5.3
  • cAdvisorcAdvisor
  • azuredisk-csi-fips-1.29
NoYesNov 19, 2025
CVE-2025-47914MEDIUM5.3
  • cAdvisorcAdvisor
  • argo-workflows-fips-3.7
NoYesNov 19, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo