GHSA-xxpw-32hf-q8v9

Summary

The official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush session data — enabling session hijacking, admin impersonation, and mass session destruction without any application-level authentication.

Severity

High (CVSS 3.1: 8.1)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

• Attack Vector: Network — docker-compose.yml binds memcached to 0.0.0.0:11211 on the host
• Attack Complexity: High — exploitation requires port 11211 to be network-reachable, which depends on external firewall/security group configuration beyond the attacker's control
• Privileges Required: None — memcached has no authentication mechanism enabled
• User Interaction: None
• Scope: Unchanged — impact is to the AVideo application's session management
• Confidentiality Impact: High — session data includes user IDs, admin flags, email addresses, and password hashes
• Integrity Impact: High — an attacker can modify session data to inject admin privileges or impersonate any user
• Availability Impact: High — flush_all destroys all active sessions, forcing mass logout

Affected Component

• docker-compose.yml — memcached service ports directive (line 203)
• Dockerfile — PHP session configuration (lines 150-151)

CWE

• CWE-668: Exposure of Resource to Wrong Sphere
• CWE-287: Improper Authentication (memcached has no authentication)

Description

Memcached port unnecessarily published to host network

The docker-compose.yml publishes the memcached port to the Docker host's network interface:

# docker-compose.yml — lines 192-213
  memcached:
    image: memcached:alpine
    restart: unless-stopped
    command: >
      memcached -m 512 -c 2048 -t ${NPROC:-4} -R 200
    ports:
      -...