CVE-2021-21285 — Uncontrolled Resource Consumption in Docker

CWE-400 — Uncontrolled Resource Consumption CWE-754 — Improper Check for Unusual or Exceptional Conditions CWE-354 — Improper Validation of Integrity Check Value8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 42.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moby Github.com Moby Moby Docker +2 more

Timeline

PublishedFeb 2

Latest updateJan 31

Description

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDdocker/docker20.0.0 — 20.10.3+1

▶CVEListV5moby/moby< 19.03.15+1

▶Gogithub.com/moby_moby20.10.0-beta1 — 20.10.3+1

▶NVDnetapp/e-series_santricity_os_controller11.0 — 11.60.3

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: security.gentoo.org ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

moby docker daemon crash during image pull of malicious image↗2024-01-31

▶

GHSA

moby docker daemon crash during image pull of malicious image↗2024-01-31

▶

CVEList

Docker daemon crash during image pull of malicious image↗2021-02-02

▶

OSV

CVE-2021-21285: In Docker before versions 9↗2021-02-02

▶

📋Vendor Advisories

Microsoft

Docker daemon crash during image pull of malicious image↗2021-02-09

▶

Red Hat

docker: daemon crash during image pull of malicious image↗2021-02-01

▶

Debian

CVE-2021-21285: docker.io - In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pul...↗2021

▶