2023448 – (CVE-2021-41091) CVE-2021-41091 moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal

Bug 2023448 (CVE-2021-41091) - CVE-2021-41091 moby: data directory contains subdirectories with insufficiently restricted permissions, which could lead to directory traversal

Summary: CVE-2021-41091 moby: data directory contains subdirectories with insufficient...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-41091
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2010238 2010241 2023965 2023966 2023967 2023968 2023969 2024828 2024830 2026050 2026051 2026052 2026053 2026054 2026055 2026056 2026057
Blocks:	2023450
TreeView+	depends on / blocked

Reported:	2021-11-15 18:06 UTC by Michael Kaplan
Modified:	2022-03-03 19:32 UTC (History)
CC List:	35 users (show)
Fixed In Version:	moby 20.10.9
Clone Of:
Environment:
Last Closed:	2022-03-03 19:32:54 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:0735	0	None	None	None	2022-03-03 06:58:06 UTC

Description Michael Kaplan 2021-11-15 18:06:12 UTC

A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. 

References: 

https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64
https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558

Comment 8 errata-xmlrpc 2022-03-03 06:58:03 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735

Comment 9 Product Security DevOps Team 2022-03-03 19:32:51 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41091

Note You need to log in before you can comment on or make changes to this bug.

alazar
amurdaca
aos-bugs
aos-install
bdettelb
bmontgom
caswilli
cnv-qe-bugs
crarobin
dwalsh
eparis
fdeutsch
fdupont
fjansen
gghezzo
gparvin
jburrell
jhrozek
jmadigan
jramanat
kaycoth
lgamliel
mfilanov
mrogers
ngough
nstielau
pahickey
pamccart
pdhamdhe
rfreiman
sponnaga
stcannon
team-winc
vkumar
xiyuan