CVE-2021-41089

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.

CVSS v3.0 6.3 MEDIUM
CVSS v2.0 4.4 MEDIUM

6.3^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.0 / Impact : 3.7

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

4.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a	Patch Third Party Advisory
https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/	Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf

Configurations

Configuration 1 (hide)

cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Information

Published : 2021-10-04 14:15

Updated : 2022-06-14 04:15

NVD link : CVE-2021-41089

Mitre link : CVE-2021-41089

JSON object : View

CWE

CWE-281

Improper Preservation of Permissions

Products Affected

fedoraproject

fedora

mobyproject

moby

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a", "name": "https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4", "name": "https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/", "name": "FEDORA-2021-df975338d4", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/", "name": "FEDORA-2021-b5a9a481a2", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf", "tags": [], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host\u2019s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-281"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-41089", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 2.0}}, "publishedDate": "2021-10-04T21:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "20.10.9"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-06-14T11:15Z"}

6.3 /10