CVE-2021-21284

02.02.2021, 18:15

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.8 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
GitHub_M	CNA	6.8 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Vendor	Product	Version
docker	docker	𝑥 < 19.03.15
docker	docker	20.0.0 ≤ 𝑥 < 20.10.3
debian	debian_linux	10.0
netapp	e-series_santricity_os_controller	11.0.0 ≤ 𝑥 ≤ 11.60.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

docker.io

bullseye	20.10.5+dfsg1-1+deb11u2 fixed
bullseye (security)	20.10.5+dfsg1-1+deb11u3 fixed
bookworm	20.10.24+dfsg1-1 fixed
sid	26.1.5+dfsg1-4 fixed
trixie	26.1.5+dfsg1-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

docker.io

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	not-affected
hirsute	Fixed 20.10.7-0ubuntu1~21.04.1 released
groovy	ignored
focal	Fixed 20.10.7-0ubuntu1~20.04.1 released
bionic	Fixed 20.10.7-0ubuntu1~18.04.1 released
xenial	needed
trusty	dne

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://docs.docker.com/engine/release-notes/#20103

https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c

https://github.com/moby/moby/releases/tag/v19.03.15

https://github.com/moby/moby/releases/tag/v20.10.3

https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc

https://security.gentoo.org/glsa/202107-23

https://security.netapp.com/advisory/ntap-20210226-0005/

https://www.debian.org/security/2021/dsa-4865