Vulnerability CVE-2021-41089

Vulnerability Name:

CVE-2021-41089 (CCN-210637)

Assigned:

2021-10-04

Published:

2021-10-04

Updated:

2022-06-14

Summary:

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.

CVSS v3 Severity:

6.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)
5.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

3.5 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-281

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2021-41089

Source: CONFIRM
Type: UNKNOWN
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf

Source: XF
Type: UNKNOWN
moby-cve202141089-sec-bypass(210637)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a

Source: CCN
Type: Moby GIT Repository
docker cp allows unexpected chmod of host files

Source: CONFIRM
Type: Third Party Advisory
https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-b5a9a481a2

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-df975338d4

Source: CCN
Type: oss-sec Mailing List, Mon, 4 Oct 2021 18:57:19 +0000
Moby (Docker Engine) CVE-2021-41089

Source: CCN
Type: IBM Security Bulletin 6829327 (InfoSphere Information Server)
Multiple vulnerabilities in Docker affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6991641 (Edge Application Manager)
Open Source Dependency Vulnerability

Vulnerable Configuration:

Configuration 1:

cpe:/a:mobyproject:moby:*:*:*:*:*:*:*:* (Version < 20.10.9)

Configuration 2:

cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mobyproject:moby:20.10.8:*:*:*:*:*:*:*

AND

cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7853	P	docker-20.10.23_ce-150000.175.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3797	P	Security update for gimp (Moderate)	2022-08-01
oval:org.opensuse.security:def:95416	P	Security update for the Linux Kernel (Important)	2022-07-21
oval:org.opensuse.security:def:3804	P	tcpdump-4.9.2-14.14.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3243	P	libpython3_6m1_0-3.6.8-2.13 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94873	P	docker-20.10.12_ce-159.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94713	P	libsqlite3-0-3.36.0-3.12.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:100061	P	(Moderate)	2022-04-01
oval:org.opensuse.security:def:99750	P	(Moderate)	2022-02-21
oval:org.opensuse.security:def:99209	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:93632	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:42336	P	Security update for containerd, docker (Moderate)	2022-02-04
oval:org.opensuse.security:def:101687	P	Security update for containerd, docker (Moderate)	2022-02-04
oval:org.opensuse.security:def:94053	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:93321	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:99483	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:94474	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:100075	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:93481	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:42192	P	Security update for containerd, docker (Moderate)	2022-02-04
oval:org.opensuse.security:def:100747	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:93841	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:93163	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:996	P	Security update for containerd, docker (Moderate)	2022-02-04
oval:org.opensuse.security:def:94267	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:99745	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:100413	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:112166	P	docker-20.10.9_ce-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99157	P	(Moderate)	2021-11-04
oval:org.opensuse.security:def:111104	P	Security update for containerd, docker, runc (Important)	2021-10-31
oval:org.opensuse.security:def:9801	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:94403	P	(Important)	2021-10-25
oval:org.opensuse.security:def:5868	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:99551	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:106440	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:92601	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:69742	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:76366	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:100005	P	(Important)	2021-10-25
oval:org.opensuse.security:def:9046	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:102129	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:98962	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:105847	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:92012	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:42132	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:66957	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:100670	P	(Important)	2021-10-25
oval:org.opensuse.security:def:10165	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:6209	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:93766	P	(Important)	2021-10-25
oval:org.opensuse.security:def:106727	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:92800	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:93108	P	(Important)	2021-10-25
oval:org.opensuse.security:def:111761	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:69941	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:989	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:9411	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:103020	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:94192	P	(Important)	2021-10-25
oval:org.opensuse.security:def:106042	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:92207	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:67298	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:10352	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:99688	P	(Important)	2021-10-25
oval:org.opensuse.security:def:8664	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:108092	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:70305	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:64886	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:100341	P	(Important)	2021-10-25
oval:org.opensuse.security:def:9602	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:99153	P	(Important)	2021-10-25
oval:org.opensuse.security:def:99352	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:93582	P	(Important)	2021-10-25
oval:org.opensuse.security:def:106241	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:92402	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:42231	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:69551	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:101681	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:76025	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:117606	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:8851	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:101426	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:93980	P	(Important)	2021-10-25
oval:org.opensuse.security:def:108795	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:93268	P	(Important)	2021-10-25
oval:org.opensuse.security:def:105652	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:70492	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:64893	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:20653	P	Security update for containerd, docker, runc (Important)	2021-10-12
oval:org.opensuse.security:def:49124	P	Security update for containerd, docker, runc (Important)	2021-10-12

BACK