CVE-2021-41089
published 2021-10-04CVE-2021-41089: Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files…
PriorityP430medium6.3CVSS 3.1
AVLACLPRLUINSCCLILAL
EPSS
0.27%
18.5th percentile
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | docker.io | < docker.io 20.10.10+dfsg1-1 (bookworm) | docker.io 20.10.10+dfsg1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | docker_docker | >= 0 < 20.10.9+incompatible | 20.10.9+incompatible |
| github.com | docker_docker | >= 0 < 20.10.9 | 20.10.9 |
| github.com | moby_moby | >= 0 < 20.10.9+incompatible | 20.10.9+incompatible |
| moby | moby | < 20.10.9 | 20.10.9 |
| mobyproject | moby | < 20.10.9 | 20.10.9 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
osv6.3MEDIUM
vendor_debian2.8LOW
vendor_redhat2.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SCALANCE LPE9403 Third-Party Vulnerabilities
cisa_ics·2022-06-16·CVSS 9.8
[CRITICAL] Siemens SCALANCE LPE9403 Third-Party Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE LPE9403 Third-Party Vulnerabilities
Last RevisedJune 16, 2022
Alert CodeICSA-22-167-09
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely, low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE LPE9403
- Vulnerabilities: Multiple
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause crashes and unrestricted file access, impacting the product’s confidentiality, integrity, and availability.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of SCALANCE LPE9403 (Local Processing
Ubuntu
docker.io vulnerability
vendor_ubuntu·2021-10-04
CVE-2021-41089 docker.io vulnerability
Title: docker.io vulnerability
Summary: Docker could be made to adjust the permissions of files.
Lei Wang and Ruizhi Xiao discovered that the Moby Docker engine in
Docker incorrectly allowed the docker cp command to make permissions
changes in the host filesystem in some situations. A local attacker
could possibly use to this to expose sensitive information or gain
administrative privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
moby: `docker cp` allows unexpected chmod of host file
vendor_redhat·2021-10-04·CVSS 2.8
CVE-2021-41089 [LOW] CWE-552 moby: `docker cp` allows unexpected chmod of host file
moby: `docker cp` allows unexpected chmod of host file
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.
A file permissions vulnerability was found in Moby (Docker Engine). Copying files by using `docker cp` into a specially-crafted container ca
Debian
CVE-2021-41089: docker.io - Moby is an open-source project created by Docker to enable software containeriza...
vendor_debian·2021·CVSS 2.8
CVE-2021-41089 [LOW] CVE-2021-41089: docker.io - Moby is an open-source project created by Docker to enable software containeriza...
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.
Scope: local
bookworm: resolved (fixed in 20.10.10+dfsg1-1)
bullseye: resolved (fixed in 20.10.5+dfsg1-1+deb11u1)
forky: resolved (fixed in 20.10.10+dfsg1-1)
sid: resolved (fixed in 20.10.10+dfsg1-
OSV
Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker
osv·2024-06-14
CVE-2021-41089 Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker
Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker
Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker
OSV
`docker cp` allows unexpected chmod of host files in Moby Docker Engine
osv·2024-06-10
CVE-2021-41089 [LOW] `docker cp` allows unexpected chmod of host files in Moby Docker Engine
`docker cp` allows unexpected chmod of host files in Moby Docker Engine
## Impact
A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
## Patches
This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.
## Workarounds
Ensure you only run trusted containers.
## Credits
The Moby project would like to thank Lei Wang and Ruizhi Xiao for responsibly disclosing this issue in accordance with t
GHSA
`docker cp` allows unexpected chmod of host files in Moby Docker Engine
ghsa·2024-06-10
CVE-2021-41089 [LOW] CWE-281 `docker cp` allows unexpected chmod of host files in Moby Docker Engine
`docker cp` allows unexpected chmod of host files in Moby Docker Engine
## Impact
A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
## Patches
This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.
## Workarounds
Ensure you only run trusted containers.
## Credits
The Moby project would like to thank Lei Wang and Ruizhi Xiao for responsibly disclosing this issue in accordance with t
OSV
CVE-2021-41089: Moby is an open-source project created by Docker to enable software containerization
osv·2021-10-04·CVSS 6.3
CVE-2021-41089 [MEDIUM] CVE-2021-41089: Moby is an open-source project created by Docker to enable software containerization
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdfhttps://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129ahttps://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdfhttps://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129ahttps://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/
2021-10-04
Published