CVE-2021-41089

EUVD-2024-2176

04.10.2021, 21:15

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	2.8 LOW	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
GitHub_M	CNA	2.8 LOW	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Affected Products (NVD)

Vendor	Product	Version
mobyproject	moby	𝑥 < 20.10.9

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

docker.io

bookworm	20.10.24+dfsg1-1 fixed
bullseye	20.10.5+dfsg1-1+deb11u2 fixed
bullseye (security)	20.10.5+dfsg1-1+deb11u3 fixed
buster	no-dsa
sid	26.1.5+dfsg1-4 fixed
trixie	26.1.5+dfsg1-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

docker.io

bionic	Fixed 20.10.7-0ubuntu1~18.04.2 released
focal	Fixed 20.10.7-0ubuntu1~20.04.2 released
hirsute	Fixed 20.10.7-0ubuntu1~21.04.2 released
impish	Fixed 20.10.7-0ubuntu5 released
jammy	Fixed 20.10.7-0ubuntu7 released
trusty	dne
xenial	Fixed 18.09.7-0ubuntu1~16.04.9+esm1 released

Common Weakness Enumeration

CWE-281 - Improper Preservation of Permissions
The software does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf

https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a

https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/

https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf

https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a

https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/