CVE Vulnerabilities

CVE-2021-41089

Improper Preservation of Permissions

Published: Oct 04, 2021 | Modified: Nov 07, 2023
CVSS 3.x
6.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CVSS 2.x
4.4 MEDIUM
AV:L/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Ubuntu
MEDIUM

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using docker cp into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.

Weakness

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Affected Software

Name Vendor Start Version End Version
Moby Mobyproject * 20.10.9 (excluding)
Migration Toolkit for Virtualization 2.2 RedHat migration-toolkit-virtualization/mtv-controller-rhel8:2.2.0-39 *
Docker.io Ubuntu bionic *
Docker.io Ubuntu devel *
Docker.io Ubuntu esm-apps/xenial *
Docker.io Ubuntu focal *
Docker.io Ubuntu hirsute *
Docker.io Ubuntu impish *
Docker.io Ubuntu jammy *
Docker.io Ubuntu trusty *
Docker.io Ubuntu upstream *
Docker.io Ubuntu xenial *

References