2023448 – (CVE-2021-41091) CVE-2021-41091 moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal

Bug 2023448 (CVE-2021-41091) - CVE-2021-41091 moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal

Summary: CVE-2021-41091 moby: data directory contains subdirectories with insufficient...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-41091
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2010238 2010241 2023965 2023966 2023967 2023968 2023969 2024828 2024830 2026050 2026051 2026052 2026053 2026054 2026055 2026056 2026057
Blocks:	2023450
TreeView+	depends on / blocked

Reported:	2021-11-15 18:06 UTC by Michael Kaplan
Modified:	2022-03-03 19:32 UTC (History)
CC List:	35 users (show)
Fixed In Version:	moby 20.10.9
Doc Type:	If docs needed, set a value
Doc Text:	A file permissions vulnerability was found in the Moby (Docker Engine). The Moby data directory (usually /var/lib/docker) contains subdirectories with insufficiently restricted permissions, allowing unprivileged Linux users to traverse directory contents and execute programs. When the running container contains executable programs with the extended permission bits (like setuid), unprivileged Linux users can discover and execute those programs. Additionally, when the UID of an unprivileged Linux user on the host collides with the file owner or group inside a container, the unprivileged Linux user on the host can discover, read, and modify those files. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:	2022-03-03 19:32:54 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:0735	0	None	None	None	2022-03-03 06:58:06 UTC

Description Michael Kaplan 2021-11-15 18:06:12 UTC

A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. 

References: 

https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64
https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558

Comment 8 errata-xmlrpc 2022-03-03 06:58:03 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735

Comment 9 Product Security DevOps Team 2022-03-03 19:32:51 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41091

Note You need to log in before you can comment on or make changes to this bug.

alazar
amurdaca
aos-bugs
aos-install
bdettelb
bmontgom
caswilli
cnv-qe-bugs
crarobin
dwalsh
eparis
fdeutsch
fdupont
fjansen
gghezzo
gparvin
jburrell
jhrozek
jmadigan
jramanat
kaycoth
lgamliel
mfilanov
mrogers
ngough
nstielau
pahickey
pamccart
pdhamdhe
rfreiman
sponnaga
stcannon
team-winc
vkumar
xiyuan