CVE-2024-41110: Update base Docker image in Dockerfile.dblab-server (27.1.1 → 27.5.1 or 29.2.1)
Problem
GCP Marketplace security scanner detects CVE-2024-41110 (CRITICAL) in the postgresai/dblab-server:4.0.4 Docker image. The vulnerability is in the docker-buildx and docker-compose CLI plugins bundled inside the base docker:27.1.1 image.
Root Cause
engine/Dockerfile.dblab-server uses FROM docker:27.1.1 as base image. This image ships with docker-buildx and docker-compose plugins that contain vulnerable Go dependencies:
$ docker run --rm --entrypoint="" docker:27.1.1 sh -c "strings /usr/local/libexec/docker/cli-plugins/docker-buildx | grep -oE 'github\.com/docker/docker@v[0-9]+\.[0-9]+\.[0-9]+' | sort -u"
github.com/docker/docker@v27.0.3
$ docker run --rm --entrypoint="" docker:27.1.1 sh -c "strings /usr/local/libexec/docker/cli-plugins/docker-compose | grep -oE 'github\.com/docker/docker@v[0-9]+\.[0-9]+\.[0-9]+' | sort -u"
github.com/docker/docker@v27.1.0Both v27.0.3 and v27.1.0 are affected by CVE-2024-41110 (fix requires >= 27.1.1).
Note: the direct Go dependency in engine/go.mod is already github.com/docker/docker v28.5.1 — the issue is only in the base image's bundled plugins.
Proposed Fix
In engine/Dockerfile.dblab-server, change:
FROM docker:27.1.1to one of:
Option 1: docker:27.5.1 (conservative, recommended)
Same major version, minimal risk of breaking changes. Alpine 3.20 → 3.21.
FROM docker:27.5.1Option 2: docker:29.2.1 (latest stable)
Latest Docker with all updates. Alpine 3.20 → 3.23.
FROM docker:29.2.1Verification
Both options fix the CVE:
$ docker run --rm --entrypoint="" docker:27.5.1 sh -c "strings /usr/local/libexec/docker/cli-plugins/docker-buildx | grep -oE 'github\.com/docker/docker@v[0-9]+\.[0-9]+\.[0-9]+' | sort -u"
github.com/docker/docker@v27.5.0
$ docker run --rm --entrypoint="" docker:27.5.1 sh -c "strings /usr/local/libexec/docker/cli-plugins/docker-compose | grep -oE 'github\.com/docker/docker@v[0-9]+\.[0-9]+\.[0-9]+' | sort -u"
github.com/docker/docker@v27.5.1
$ docker run --rm --entrypoint="" docker:29.2.1 sh -c "strings /usr/local/libexec/docker/cli-plugins/docker-buildx | grep -oE 'github\.com/docker/docker@v[0-9]+\.[0-9]+\.[0-9]+' | sort -u"
github.com/docker/docker@v28.5.2
$ docker run --rm --entrypoint="" docker:29.2.1 sh -c "strings /usr/local/libexec/docker/cli-plugins/docker-compose | grep -oE 'github\.com/docker/docker@v[0-9]+\.[0-9]+\.[0-9]+' | sort -u"
github.com/docker/docker@v28.5.2Comparison
docker:27.1.1 (current) |
docker:27.5.1 (option 1) |
docker:29.2.1 (option 2) |
|
|---|---|---|---|
| Alpine | 3.20 | 3.21 | 3.23 |
| docker-buildx dep |
v27.0.3 |
v27.5.0 |
v28.5.2 |
| docker-compose dep |
v27.1.0 |
v27.5.1 |
v28.5.2 |
Impact
GCP Marketplace requires this CVE to be fixed by 2026-03-25, otherwise the listing may be removed.
References
- CVE-2024-41110 — moby: Authz zero length regression