CVE-2021-41091

CWE-281CWE-732Incorrect Permission Assignment8 documents6 sources
Severity
6.3MEDIUM
EPSS
4.7%
top 10.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Moby MobyGithub.com Docker/dockerGithub.com Moby/moby+2 more
Timeline
PublishedOct 4
Latest updateJun 28

Description

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:LExploitability: 2.0 | Impact: 3.7

Affected Packages5 packages

NVDmobyproject/moby< 20.10.9
CVEListV5moby/moby< 20.10.9
Gogithub.com/moby/moby< 20.10.9+1
Gogithub.com/docker/docker< 20.10.9+1
Debiandocker.io< 20.10.5+dfsg1-1+deb11u1+3

Also affects: Fedora 34, 35

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Moby (Docker Engine) Insufficiently restricted permissions on data directory in github.com/docker/docker2024-06-28
GHSA
Moby (Docker Engine) Insufficiently restricted permissions on data directory2024-01-31
OSV
Moby (Docker Engine) Insufficiently restricted permissions on data directory2024-01-31
CVEList
Insufficiently restricted permissions on data directory in Docker Engine2021-10-04
OSV
CVE-2021-41091: Moby is an open-source project created by Docker to enable software containerization2021-10-04

📋Vendor Advisories

2
Red Hat
moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal2021-10-04
Debian
CVE-2021-41091: docker.io - Moby is an open-source project created by Docker to enable software containeriza...2021
CVE-2021-41091 (MEDIUM CVSS 6.3) | Moby is an open-source project crea | cvebase.io