CVE-2021-41092Sensitive Information Exposure in Docker CLI

CWE-200Sensitive Information ExposureCWE-522Insufficiently Protected Credentials9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 77.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Docker CLIGithub.com Docker CLIDocker Command Line Interface+2 more
Timeline
PublishedOct 4
Latest updateJul 1

Description

Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. This bug has been fixed in Docker CLI 20.10.9. Users should update

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5docker/cli< 20.10.9
debiandebian/docker.io< docker.io 20.10.10+dfsg1-1 (bookworm)
Gogithub.com/docker_cli< 20.10.9+1

Also affects: Fedora 34, 35

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Docker CLI leaks private registry credentials to registry-1.docker.io in github.com/docker/cli2024-07-01
GHSA
Docker CLI leaks private registry credentials to registry-1.docker.io2024-06-10
OSV
Docker CLI leaks private registry credentials to registry-1.docker.io2024-06-10
OSV
CVE-2021-41092: Docker CLI is the command line interface for the docker container runtime2021-10-04

📋Vendor Advisories

4
CISA ICS
Siemens SCALANCE LPE9403 Third-Party Vulnerabilities2022-06-16
Ubuntu
Docker vulnerability2021-11-09
Red Hat
docker: cli leaks private registry credentials to registry-1.docker.io2021-10-04
Debian
CVE-2021-41092: docker.io - Docker CLI is the command line interface for the docker container runtime. A bug...2021