CVE-2021-41091

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-41091

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41091.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-41091

Aliases

Related

Published

2021-10-04T21:15:12Z

Modified

2024-09-11T04:49:30.243865Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically /var/lib/docker) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.

References

Affected packages

Debian:11 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.10.5+dfsg1-1+deb11u1

Affected versions

20.*

20.10.5+dfsg1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.10.10+dfsg1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / docker.io

Package

Name: docker.io
Purl: pkg:deb/debian/docker.io?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.10.10+dfsg1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/moby/moby

Affected ranges

Type: GIT
Repo: https://github.com/moby/moby
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f0ab919f518c47240ea0e72d0999576bb8008e64

Affected versions

0.*

0.0.3

Other

autorun/1

docs-v1.*

docs-v1.12.0-rc4-2016-07-15

upstream/0.*

upstream/0.1.1

upstream/0.1.2

upstream/0.1.3

upstream/0.1.4

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.10.0

v0.11.0

v0.11.1

v0.12.0

v0.2.0

v0.2.1

v0.2.2

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.7.0

v0.7.0-rc5

v0.7.0-rc6

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.8.0

v0.8.1

v0.9.0

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.1.1

v1.1.2

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v17.*

v17.12.0-ce-rc1

v18.*

v18.04.0-ce-rc1

v18.06.0-ce-rc1

v18.09.0-ce-tp0

v19.*

v19.03.0-beta1

v19.03.0-beta2

v19.03.0-beta3

v20.*

v20.10.0

v20.10.0-beta1

v20.10.0-rc1

v20.10.0-rc2

v20.10.1

v20.10.2

v20.10.3

v20.10.4

v20.10.5

v20.10.6

v20.10.7

v20.10.8