CVE-2021-41089 : Moby is an open-source project created by Docker to enable software containeriza

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.

Published 2021-10-04 21:15:13

Updated 2022-06-14 11:15:11

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-41089

Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Mobyproject » Moby
Versions before (<) 20.10.9
cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-41089

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 6 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-41089

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.4	MEDIUM	AV:L/AC:M/Au:N/C:P/I:P/A:P	3.4	6.4	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
6.3	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L	2.0	3.7	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: Low Integrity: Low Availability: Low
2.8	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N	1.1	1.4	GitHub, Inc.
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2021-41089

CWE-281 Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)

References for CVE-2021-41089

https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf

CVEs referencing this url
https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a

Merge pull request #4 from moby/20.10-ghsa-v994-f8vw-g7j4-chroot-mkdir · moby/moby@bce32e5 · GitHub
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/

[SECURITY] Fedora 35 Update: moby-engine-20.10.9-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4

`docker cp` allows unexpected chmod of host files · Advisory · moby/moby · GitHub
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/

[SECURITY] Fedora 34 Update: moby-engine-20.10.9-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-41089

Products affected by CVE-2021-41089

Exploit prediction scoring system (EPSS) score for CVE-2021-41089

CVSS scores for CVE-2021-41089

CWE ids for CVE-2021-41089

References for CVE-2021-41089