Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-41091
HistoryOct 04, 2021 - 12:00 a.m.

CVE-2021-41091

2021-10-0400:00:00
ubuntu.com
ubuntu.com
43

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

15.1%

Moby is an open-source project created by Docker to enable software
containerization. A bug was found in Moby (Docker Engine) where the data
directory (typically /var/lib/docker) contained subdirectories with
insufficiently restricted permissions, allowing otherwise unprivileged
Linux users to traverse directory contents and execute programs. When
containers included executable programs with extended permission bits (such
as setuid), unprivileged Linux users could discover and execute those
programs. When the UID of an unprivileged Linux user on the host collided
with the file owner or group inside a container, the unprivileged Linux
user on the host could discover, read, and modify those files. This bug has
been fixed in Moby (Docker Engine) 20.10.9. Users should update to this
version as soon as possible. Running containers should be stopped and
restarted for the permissions to be fixed. For users unable to upgrade
limit access to the host to trusted users. Limit access to host volumes to
trusted containers.

Notes

Author Note
sbeattie looks to have possibly been introduced in e908cc39018c015084ffbffbc5703ccba5c2fbb7 (v20.10.3)
OSVersionArchitecturePackageVersionFilename
ubuntu21.10noarchdocker.io< 20.10.7-0ubuntu5UNKNOWN
ubuntu22.10noarchdocker.io< 20.10.7-0ubuntu5UNKNOWN
ubuntu18.04noarchdocker.io< 20.10.7-0ubuntu5UNKNOWN
ubuntu20.04noarchdocker.io< 20.10.7-0ubuntu5UNKNOWN
ubuntu22.04noarchdocker.io< 20.10.7-0ubuntu5UNKNOWN

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

15.1%

Related for UB:CVE-2021-41091