CVE-2021-41089

CWE-281CWE-552Files Accessible to External Parties9 documents7 sources
Severity
6.3MEDIUM
EPSS
0.0%
top 91.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Moby MobyGithub.com Docker/dockerGithub.com Moby/moby+2 more
Timeline
PublishedOct 4
Latest updateJun 14

Description

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Us

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 1.1 | Impact: 1.4

Affected Packages5 packages

NVDmobyproject/moby< 20.10.9
CVEListV5moby/moby< 20.10.9
Gogithub.com/moby/moby< 20.10.9+incompatible
Gogithub.com/docker/docker< 20.10.9+incompatible+1
Debiandocker.io< 20.10.5+dfsg1-1+deb11u1+3

Also affects: Fedora 34, 35

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker2024-06-14
OSV
`docker cp` allows unexpected chmod of host files in Moby Docker Engine2024-06-10
GHSA
`docker cp` allows unexpected chmod of host files in Moby Docker Engine2024-06-10
OSV
CVE-2021-41089: Moby is an open-source project created by Docker to enable software containerization2021-10-04
CVEList
`docker cp` allows unexpected chmod of host files2021-10-04

📋Vendor Advisories

3
Ubuntu
docker.io vulnerability2021-10-04
Red Hat
moby: `docker cp` allows unexpected chmod of host file2021-10-04
Debian
CVE-2021-41089: docker.io - Moby is an open-source project created by Docker to enable software containeriza...2021