Vulnerability CVE-2021-41092

Vulnerability Name:

CVE-2021-41092 (CCN-210712)

Assigned:

2021-10-04

Published:

2021-10-04

Updated:

2022-06-14

Summary:

Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. For users unable to update ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N)
4.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): High User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.6 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:M/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): Multiple_Instances
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2021-41092

Source: CONFIRM
Type: UNKNOWN
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf

Source: XF
Type: UNKNOWN
dockercli-cve202141092-info-disc(210712)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b

Source: CCN
Type: CLI GIT Repository
Docker CLI leaks private registry credentials to registry-1.docker.io

Source: CONFIRM
Type: Third Party Advisory
https://github.com/docker/cli/security/advisories/GHSA-99pg-grm5-qq3v

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-b5a9a481a2

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-df975338d4

Source: CCN
Type: IBM Security Bulletin 6525030 (Spectrum Protect Plus)
Vulnerabilities in the Linux Kernel, Docker, Python, and NGINX affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6568675 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses

Source: CCN
Type: IBM Security Bulletin 6579889 (Cloud Pak System Software Suite)
A vulnerability in Docker CLI affects IBM Cloud Pak System (CVE-2021-41092)

Source: CCN
Type: IBM Security Bulletin 6606987 (Cloud Pak for Security)
IBM Cloud Pak for Security is vulnerable to Using Components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6614449 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Source: CCN
Type: IBM Security Bulletin 7002503 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Vulnerable Configuration:

Configuration 1:

cpe:/a:docker:command_line_interface:*:*:*:*:*:*:*:* (Version < 20.10.9)

Configuration 2:

cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:cloud_pak_system:2.3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_system:2.3.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7853	P	docker-20.10.23_ce-150000.175.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3797	P	Security update for gimp (Moderate)	2022-08-01
oval:org.opensuse.security:def:95416	P	Security update for the Linux Kernel (Important)	2022-07-21
oval:org.opensuse.security:def:3804	P	tcpdump-4.9.2-14.14.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3243	P	libpython3_6m1_0-3.6.8-2.13 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94873	P	docker-20.10.12_ce-159.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94713	P	libsqlite3-0-3.36.0-3.12.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:100061	P	(Moderate)	2022-04-01
oval:org.opensuse.security:def:99750	P	(Moderate)	2022-02-21
oval:org.opensuse.security:def:99209	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:93632	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:42336	P	Security update for containerd, docker (Moderate)	2022-02-04
oval:org.opensuse.security:def:101687	P	Security update for containerd, docker (Moderate)	2022-02-04
oval:org.opensuse.security:def:94053	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:93321	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:99483	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:94474	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:100075	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:93481	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:42192	P	Security update for containerd, docker (Moderate)	2022-02-04
oval:org.opensuse.security:def:100747	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:93841	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:93163	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:996	P	Security update for containerd, docker (Moderate)	2022-02-04
oval:org.opensuse.security:def:94267	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:99745	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:100413	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:112165	P	docker-20.10.9_ce-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99157	P	(Moderate)	2021-11-04
oval:org.opensuse.security:def:111104	P	Security update for containerd, docker, runc (Important)	2021-10-31
oval:org.opensuse.security:def:9801	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:94403	P	(Important)	2021-10-25
oval:org.opensuse.security:def:5868	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:99551	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:106440	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:92601	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:69742	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:76366	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:100005	P	(Important)	2021-10-25
oval:org.opensuse.security:def:9046	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:102129	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:98962	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:105847	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:92012	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:42132	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:66957	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:100670	P	(Important)	2021-10-25
oval:org.opensuse.security:def:10165	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:6209	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:93766	P	(Important)	2021-10-25
oval:org.opensuse.security:def:106727	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:92800	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:93108	P	(Important)	2021-10-25
oval:org.opensuse.security:def:111761	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:69941	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:989	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:9411	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:103020	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:94192	P	(Important)	2021-10-25
oval:org.opensuse.security:def:106042	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:92207	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:67298	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:10352	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:99688	P	(Important)	2021-10-25
oval:org.opensuse.security:def:8664	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:108092	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:70305	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:64886	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:100341	P	(Important)	2021-10-25
oval:org.opensuse.security:def:9602	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:99153	P	(Important)	2021-10-25
oval:org.opensuse.security:def:99352	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:93582	P	(Important)	2021-10-25
oval:org.opensuse.security:def:106241	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:92402	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:42231	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:69551	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:101681	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:76025	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:117606	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:8851	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:101426	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:93980	P	(Important)	2021-10-25
oval:org.opensuse.security:def:108795	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:93268	P	(Important)	2021-10-25
oval:org.opensuse.security:def:105652	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:70492	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:64893	P	Security update for containerd, docker, runc (Important)	2021-10-25
oval:org.opensuse.security:def:20653	P	Security update for containerd, docker, runc (Important)	2021-10-12
oval:org.opensuse.security:def:49124	P	Security update for containerd, docker, runc (Important)	2021-10-12

BACK