2008592 – (CVE-2021-41089) CVE-2021-41089 moby: `docker cp` allows unexpected chmod of host file

Bug 2008592 (CVE-2021-41089) - CVE-2021-41089 moby: `docker cp` allows unexpected chmod of host file

Summary: CVE-2021-41089 moby: `docker cp` allows unexpected chmod of host file

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-41089
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2009329 2009330 2010238 2010239 2010240 2010241 2012387 2012388 2012389 2012390 2012391 2012392 2012393 2012394 2023965 2023966
Blocks:	2008593
TreeView+	depends on / blocked

Reported:	2021-09-28 15:48 UTC by Pedro Sampaio
Modified:	2022-05-02 08:28 UTC (History)
CC List:	32 users (show)
Fixed In Version:	moby 20.10.9
Doc Type:	If docs needed, set a value
Doc Text:	A file permissions vulnerability was found in Moby (Docker Engine). Copying files by using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host's filesystem, which might lead to permissions escalation and allow an attacker access to restricted data.
Clone Of:
Environment:
Last Closed:	2021-10-28 09:07:19 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:0735	0	None	None	None	2022-03-03 06:57:51 UTC

Description Pedro Sampaio 2021-09-28 15:48:58 UTC

A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host's filesystem, widening access to others.

References:

https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4

Comment 9 errata-xmlrpc 2022-03-03 06:57:49 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735

Note You need to log in before you can comment on or make changes to this bug.

alazar
amurdaca
aos-bugs
bdettelb
bmontgom
dwalsh
eparis
gghezzo
gparvin
jburrell
jhrozek
jokerman
josorior
jramanat
kaycoth
lgamliel
lnacshon
lsm5
mfilanov
mrogers
nalin
nstielau
pahickey
pdhamdhe
rfreiman
security-response-team
sponnaga
stcannon
tsweeney
vkumar
vrothber
xiyuan