Vulnerability-Lookup

CVE-2021-21284 (GCVE-0-2021-21284)

Vulnerability from cvelistv5 – Published: 2021-02-02 17:55 – Updated: 2024-08-03 18:09

Title

privilege escalation in Moby

Summary

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

Severity ?

6.8 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

8 references

URL	Tags
https://docs.docker.com/engine/release-notes/#20103	x_refsource_MISC
https://github.com/moby/moby/releases/tag/v20.10.3	x_refsource_MISC
https://github.com/moby/moby/releases/tag/v19.03.15	x_refsource_MISC
https://github.com/moby/moby/security/advisories/…	x_refsource_CONFIRM
https://github.com/moby/moby/commit/64bd4485b3a66…	x_refsource_MISC
https://security.netapp.com/advisory/ntap-2021022…	x_refsource_CONFIRM
https://www.debian.org/security/2021/dsa-4865	vendor-advisoryx_refsource_DEBIAN
https://security.gentoo.org/glsa/202107-23	vendor-advisoryx_refsource_GENTOO

Impacted products

1 product

Vendor	Product	Version
moby	moby	Affected: < 19.03.15 Affected: >= 20.0.0, < 20.10.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:15.042Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.docker.com/engine/release-notes/#20103"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/moby/moby/releases/tag/v20.10.3"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/moby/moby/releases/tag/v19.03.15"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
          },
          {
            "name": "DSA-4865",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4865"
          },
          {
            "name": "GLSA-202107-23",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-23"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moby",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 19.03.15"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.0.0, \u003c 20.10.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-10T04:06:25.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.docker.com/engine/release-notes/#20103"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/moby/releases/tag/v20.10.3"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/moby/releases/tag/v19.03.15"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
        },
        {
          "name": "DSA-4865",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4865"
        },
        {
          "name": "GLSA-202107-23",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202107-23"
        }
      ],
      "source": {
        "advisory": "GHSA-7452-xqpj-6rpc",
        "discovery": "UNKNOWN"
      },
      "title": "privilege escalation in Moby",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21284",
          "STATE": "PUBLIC",
          "TITLE": "privilege escalation in Moby"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "moby",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 19.03.15"
                          },
                          {
                            "version_value": "\u003e= 20.0.0, \u003c 20.10.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "moby"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.docker.com/engine/release-notes/#20103",
              "refsource": "MISC",
              "url": "https://docs.docker.com/engine/release-notes/#20103"
            },
            {
              "name": "https://github.com/moby/moby/releases/tag/v20.10.3",
              "refsource": "MISC",
              "url": "https://github.com/moby/moby/releases/tag/v20.10.3"
            },
            {
              "name": "https://github.com/moby/moby/releases/tag/v19.03.15",
              "refsource": "MISC",
              "url": "https://github.com/moby/moby/releases/tag/v19.03.15"
            },
            {
              "name": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc",
              "refsource": "CONFIRM",
              "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
            },
            {
              "name": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c",
              "refsource": "MISC",
              "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210226-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
            },
            {
              "name": "DSA-4865",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4865"
            },
            {
              "name": "GLSA-202107-23",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-23"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-7452-xqpj-6rpc",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21284",
    "datePublished": "2021-02-02T17:55:22.000Z",
    "dateReserved": "2020-12-22T00:00:00.000Z",
    "dateUpdated": "2024-08-03T18:09:15.042Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-21284",
      "date": "2026-05-19",
      "epss": "0.0002",
      "percentile": "0.05733"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"19.03.15\", \"matchCriteriaId\": \"C6B22016-AB78-4E82-9F65-AEC2526F3EDF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"20.0.0\", \"versionEndExcluding\": \"20.10.3\", \"matchCriteriaId\": \"B4427D14-D219-490B-8467-40FE253775A1\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"11.0.0\", \"versionEndIncluding\": \"11.60.3\", \"matchCriteriaId\": \"BD1E9594-C46F-40D1-8BC2-6B16635B55C4\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \\\"--userns-remap\\\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \\\"/var/lib/docker/\u003cremapping\u003e\\\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.\"}, {\"lang\": \"es\", \"value\": \"En Docker versiones anteriores a 9.03.15, 20.10.3, se presenta una vulnerabilidad que involucra la opci\\u00f3n --userns-remap en la que un acceso a una root reasignada permite una escalada de privilegios a la root actual.\u0026#xa0;Cuando se usa \\\"--userns-remap\\\", si el usuario root en el espacio de nombres reasignado tiene acceso al sistema de archivos del host, puede modificar archivos en \\\"/var/lib/docker/(remapping)\\\" que causa la escritura de archivos con privilegios extendidos.\u0026#xa0;Las versiones 20.10.3 y 19.03.15 contienen parches que evitan una escalada de privilegios del usuario reasignado\"}]",
      "id": "CVE-2021-21284",
      "lastModified": "2024-11-21T05:47:55.867",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 4.0}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:A/AC:L/Au:S/C:N/I:P/A:N\", \"baseScore\": 2.7, \"accessVector\": \"ADJACENT_NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 5.1, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-02-02T18:15:11.827",
      "references": "[{\"url\": \"https://docs.docker.com/engine/release-notes/#20103\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/moby/moby/releases/tag/v19.03.15\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/moby/moby/releases/tag/v20.10.3\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202107-23\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20210226-0005/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2021/dsa-4865\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://docs.docker.com/engine/release-notes/#20103\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/moby/moby/releases/tag/v19.03.15\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/moby/moby/releases/tag/v20.10.3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202107-23\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20210226-0005/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2021/dsa-4865\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-21284\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-02-02T18:15:11.827\",\"lastModified\":\"2024-11-21T05:47:55.867\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \\\"--userns-remap\\\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \\\"/var/lib/docker/\u003cremapping\u003e\\\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.\"},{\"lang\":\"es\",\"value\":\"En Docker versiones anteriores a 9.03.15, 20.10.3, se presenta una vulnerabilidad que involucra la opci\u00f3n --userns-remap en la que un acceso a una root reasignada permite una escalada de privilegios a la root actual.\u0026#xa0;Cuando se usa \\\"--userns-remap\\\", si el usuario root en el espacio de nombres reasignado tiene acceso al sistema de archivos del host, puede modificar archivos en \\\"/var/lib/docker/(remapping)\\\" que causa la escritura de archivos con privilegios extendidos.\u0026#xa0;Las versiones 20.10.3 y 19.03.15 contienen parches que evitan una escalada de privilegios del usuario reasignado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":2.7,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":5.1,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"19.03.15\",\"matchCriteriaId\":\"C6B22016-AB78-4E82-9F65-AEC2526F3EDF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"20.0.0\",\"versionEndExcluding\":\"20.10.3\",\"matchCriteriaId\":\"B4427D14-D219-490B-8467-40FE253775A1\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.60.3\",\"matchCriteriaId\":\"BD1E9594-C46F-40D1-8BC2-6B16635B55C4\"}]}]}],\"references\":[{\"url\":\"https://docs.docker.com/engine/release-notes/#20103\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/releases/tag/v19.03.15\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/releases/tag/v20.10.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202107-23\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210226-0005/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4865\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://docs.docker.com/engine/release-notes/#20103\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/releases/tag/v19.03.15\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/releases/tag/v20.10.3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202107-23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210226-0005/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4865\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

CERTFR-2021-AVI-490

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans IBM Spectrum Protect. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	Spectrum	IBM Spectrum Protect Plus versions 10.1.x antérieures à 10.1.8.1

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6466435 du 28 juin 2021	None	vendor-advisory
Bulletin de sécurité IBM 6467281 du 28 juin 2021	None	vendor-advisory
Bulletin de sécurité IBM 6466599 du 28 juin 2021	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Spectrum Protect Plus versions 10.1.x ant\u00e9rieures \u00e0 10.1.8.1",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-27919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-27919"
    },
    {
      "name": "CVE-2021-21343",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21343"
    },
    {
      "name": "CVE-2021-21348",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21348"
    },
    {
      "name": "CVE-2021-29505",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29505"
    },
    {
      "name": "CVE-2020-26258",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26258"
    },
    {
      "name": "CVE-2021-31525",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
    },
    {
      "name": "CVE-2021-21344",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21344"
    },
    {
      "name": "CVE-2021-33503",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33503"
    },
    {
      "name": "CVE-2020-26259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26259"
    },
    {
      "name": "CVE-2021-21341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21341"
    },
    {
      "name": "CVE-2021-21285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21285"
    },
    {
      "name": "CVE-2021-21362",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21362"
    },
    {
      "name": "CVE-2021-23358",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23358"
    },
    {
      "name": "CVE-2020-14147",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-14147"
    },
    {
      "name": "CVE-2021-21347",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21347"
    },
    {
      "name": "CVE-2020-26217",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26217"
    },
    {
      "name": "CVE-2021-21346",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21346"
    },
    {
      "name": "CVE-2021-29921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29921"
    },
    {
      "name": "CVE-2020-28476",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28476"
    },
    {
      "name": "CVE-2020-7929",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7929"
    },
    {
      "name": "CVE-2021-21351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21351"
    },
    {
      "name": "CVE-2021-21345",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21345"
    },
    {
      "name": "CVE-2021-22884",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22884"
    },
    {
      "name": "CVE-2021-3177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3177"
    },
    {
      "name": "CVE-2021-22883",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22883"
    },
    {
      "name": "CVE-2021-28363",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28363"
    },
    {
      "name": "CVE-2021-21349",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21349"
    },
    {
      "name": "CVE-2021-21342",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21342"
    },
    {
      "name": "CVE-2021-21350",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21350"
    },
    {
      "name": "CVE-2021-21284",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21284"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-490",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-06-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Spectrum\nProtect. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Spectrum Protect",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6466435 du 28 juin 2021",
      "url": "https://www.ibm.com/support/pages/node/6466435"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6467281 du 28 juin 2021",
      "url": "https://www.ibm.com/support/pages/node/6467281"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6466599 du 28 juin 2021",
      "url": "https://www.ibm.com/support/pages/node/6466599"
    }
  ]
}

CERTFR-2021-AVI-700

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	N/A	IBM Security Guardium version 11.2 sans le dernier correctif
	IBM	N/A	IBM Security Guardium version 11.3 sans le dernier correctif

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6455281 du 13 septembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Security Guardium version 11.2 sans le dernier correctif",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Security Guardium version 11.3 sans le dernier correctif",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-12749",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12749"
    },
    {
      "name": "CVE-2020-24606",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-24606"
    },
    {
      "name": "CVE-2019-14866",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14866"
    },
    {
      "name": "CVE-2021-20428",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20428"
    },
    {
      "name": "CVE-2019-5094",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5094"
    },
    {
      "name": "CVE-2020-8450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8450"
    },
    {
      "name": "CVE-2019-19956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19956"
    },
    {
      "name": "CVE-2021-21285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21285"
    },
    {
      "name": "CVE-2020-8177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8177"
    },
    {
      "name": "CVE-2020-15049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15049"
    },
    {
      "name": "CVE-2019-12450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12450"
    },
    {
      "name": "CVE-2020-10754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10754"
    },
    {
      "name": "CVE-2020-13401",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13401"
    },
    {
      "name": "CVE-2019-20388",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-20388"
    },
    {
      "name": "CVE-2019-14822",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14822"
    },
    {
      "name": "CVE-2019-10785",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10785"
    },
    {
      "name": "CVE-2021-20385",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20385"
    },
    {
      "name": "CVE-2020-7595",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7595"
    },
    {
      "name": "CVE-2020-5259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-5259"
    },
    {
      "name": "CVE-2019-11719",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11719"
    },
    {
      "name": "CVE-2019-12528",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12528"
    },
    {
      "name": "CVE-2021-3156",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3156"
    },
    {
      "name": "CVE-2020-15810",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15810"
    },
    {
      "name": "CVE-2020-15811",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15811"
    },
    {
      "name": "CVE-2020-8449",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8449"
    },
    {
      "name": "CVE-2021-20426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20426"
    },
    {
      "name": "CVE-2020-12825",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-12825"
    },
    {
      "name": "CVE-2021-20419",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20419"
    },
    {
      "name": "CVE-2019-5482",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5482"
    },
    {
      "name": "CVE-2019-5188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5188"
    },
    {
      "name": "CVE-2021-20389",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20389"
    },
    {
      "name": "CVE-2021-20386",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20386"
    },
    {
      "name": "CVE-2020-12049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-12049"
    },
    {
      "name": "CVE-2020-5258",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-5258"
    },
    {
      "name": "CVE-2021-21284",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21284"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-700",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6455281 du 13 septembre 2021",
      "url": "https://www.ibm.com/support/pages/node/6455281"
    }
  ]
}

CERTFR-2021-AVI-490

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	Spectrum	IBM Spectrum Protect Plus versions 10.1.x antérieures à 10.1.8.1

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6466435 du 28 juin 2021	None	vendor-advisory
Bulletin de sécurité IBM 6467281 du 28 juin 2021	None	vendor-advisory
Bulletin de sécurité IBM 6466599 du 28 juin 2021	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Spectrum Protect Plus versions 10.1.x ant\u00e9rieures \u00e0 10.1.8.1",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-27919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-27919"
    },
    {
      "name": "CVE-2021-21343",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21343"
    },
    {
      "name": "CVE-2021-21348",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21348"
    },
    {
      "name": "CVE-2021-29505",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29505"
    },
    {
      "name": "CVE-2020-26258",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26258"
    },
    {
      "name": "CVE-2021-31525",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
    },
    {
      "name": "CVE-2021-21344",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21344"
    },
    {
      "name": "CVE-2021-33503",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33503"
    },
    {
      "name": "CVE-2020-26259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26259"
    },
    {
      "name": "CVE-2021-21341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21341"
    },
    {
      "name": "CVE-2021-21285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21285"
    },
    {
      "name": "CVE-2021-21362",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21362"
    },
    {
      "name": "CVE-2021-23358",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23358"
    },
    {
      "name": "CVE-2020-14147",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-14147"
    },
    {
      "name": "CVE-2021-21347",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21347"
    },
    {
      "name": "CVE-2020-26217",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-26217"
    },
    {
      "name": "CVE-2021-21346",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21346"
    },
    {
      "name": "CVE-2021-29921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-29921"
    },
    {
      "name": "CVE-2020-28476",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28476"
    },
    {
      "name": "CVE-2020-7929",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7929"
    },
    {
      "name": "CVE-2021-21351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21351"
    },
    {
      "name": "CVE-2021-21345",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21345"
    },
    {
      "name": "CVE-2021-22884",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22884"
    },
    {
      "name": "CVE-2021-3177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3177"
    },
    {
      "name": "CVE-2021-22883",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22883"
    },
    {
      "name": "CVE-2021-28363",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28363"
    },
    {
      "name": "CVE-2021-21349",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21349"
    },
    {
      "name": "CVE-2021-21342",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21342"
    },
    {
      "name": "CVE-2021-21350",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21350"
    },
    {
      "name": "CVE-2021-21284",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21284"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-490",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-06-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Spectrum\nProtect. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Spectrum Protect",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6466435 du 28 juin 2021",
      "url": "https://www.ibm.com/support/pages/node/6466435"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6467281 du 28 juin 2021",
      "url": "https://www.ibm.com/support/pages/node/6467281"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6466599 du 28 juin 2021",
      "url": "https://www.ibm.com/support/pages/node/6466599"
    }
  ]
}

CERTFR-2021-AVI-700

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	N/A	IBM Security Guardium version 11.2 sans le dernier correctif
	IBM	N/A	IBM Security Guardium version 11.3 sans le dernier correctif

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6455281 du 13 septembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Security Guardium version 11.2 sans le dernier correctif",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Security Guardium version 11.3 sans le dernier correctif",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-12749",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12749"
    },
    {
      "name": "CVE-2020-24606",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-24606"
    },
    {
      "name": "CVE-2019-14866",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14866"
    },
    {
      "name": "CVE-2021-20428",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20428"
    },
    {
      "name": "CVE-2019-5094",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5094"
    },
    {
      "name": "CVE-2020-8450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8450"
    },
    {
      "name": "CVE-2019-19956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19956"
    },
    {
      "name": "CVE-2021-21285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21285"
    },
    {
      "name": "CVE-2020-8177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8177"
    },
    {
      "name": "CVE-2020-15049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15049"
    },
    {
      "name": "CVE-2019-12450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12450"
    },
    {
      "name": "CVE-2020-10754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10754"
    },
    {
      "name": "CVE-2020-13401",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13401"
    },
    {
      "name": "CVE-2019-20388",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-20388"
    },
    {
      "name": "CVE-2019-14822",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14822"
    },
    {
      "name": "CVE-2019-10785",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10785"
    },
    {
      "name": "CVE-2021-20385",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20385"
    },
    {
      "name": "CVE-2020-7595",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7595"
    },
    {
      "name": "CVE-2020-5259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-5259"
    },
    {
      "name": "CVE-2019-11719",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11719"
    },
    {
      "name": "CVE-2019-12528",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12528"
    },
    {
      "name": "CVE-2021-3156",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3156"
    },
    {
      "name": "CVE-2020-15810",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15810"
    },
    {
      "name": "CVE-2020-15811",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15811"
    },
    {
      "name": "CVE-2020-8449",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8449"
    },
    {
      "name": "CVE-2021-20426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20426"
    },
    {
      "name": "CVE-2020-12825",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-12825"
    },
    {
      "name": "CVE-2021-20419",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20419"
    },
    {
      "name": "CVE-2019-5482",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5482"
    },
    {
      "name": "CVE-2019-5188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5188"
    },
    {
      "name": "CVE-2021-20389",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20389"
    },
    {
      "name": "CVE-2021-20386",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20386"
    },
    {
      "name": "CVE-2020-12049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-12049"
    },
    {
      "name": "CVE-2020-5258",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-5258"
    },
    {
      "name": "CVE-2021-21284",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21284"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-700",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6455281 du 13 septembre 2021",
      "url": "https://www.ibm.com/support/pages/node/6455281"
    }
  ]
}

BDU:2021-01893

Vulnerability from fstec - Published: 22.12.2020

Title

Уязвимость опции --userns-remap средства автоматизации развёртывания и управления приложениями в средах с поддержкой контейнеризации Docker, связанная с некорректным ограничением имени пути к каталогу, позволяющая нарушителю оказать воздействие на целостность данных

Description

Уязвимость опции --userns-remap средства автоматизации развёртывания и управления приложениями в средах с поддержкой контейнеризации Docker связана с некорректным ограничением имени пути к каталогу. Эксплуатация уязвимости позволяет нарушителю, действующему удаленно, оказать воздействие на целостность данных

Severity ?


                    
                      AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Vendor

Сообщество свободного программного обеспечения, Docker Inc., ООО «РусБИТех-Астра», АО "НППКТ", АО «Концерн ВНИИНС»

Software Name

Debian GNU/Linux, Docker, Astra Linux Special Edition (запись в едином реестре российских программ №369), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), ОС ОН «Стрелец» (запись в едином реестре российских программ №6177)

Software Version

10 (Debian GNU/Linux), до 19.03.15 (Docker), от 20.0.0 до 20.10.3 (Docker), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), до 2.1 (ОСОН ОСнова Оnyx), до 16.01.2023 (ОС ОН «Стрелец»)

Possible Mitigations

Использование рекомендаций: Для Docker: Обновление программного обеспечения до 20.10.5+dfsg1-1 или более поздней версии Для Debian: Обновление программного обеспечения (пакета docker.io) до 18.09.1+dfsg1-7.1+deb10u3 или более поздней версии Для ОСОН Основа: Обновление программного обеспечения docker.io до версии 18.09.1+dfsg1-7.1+deb10u3.osnova5 Для ОС Astra Linux Special Edition 1.7: обновить пакет docker.io до 24.0.2+astra14 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17 Для ОС ОН «Стрелец»: Обновление программного обеспечения docker.io до версии 18.09.1+dfsg1-7.1+deb10u3.osnova5 Для Astra Linux Special Edition 4.7: обновить пакет docker.io до 24.0.2+ci1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47

Reference

https://docs.docker.com/engine/release-notes/#20103 https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c https://nvd.nist.gov/vuln/detail/CVE-2021-21284 https://security-tracker.debian.org/tracker/CVE-2021-21284 https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.1/ https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17 https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023 https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47

CWE

CWE-22

JSON

To clipboard

{
  "CVSS 2.0": "AV:A/AC:L/Au:S/C:N/I:P/A:N",
  "CVSS 3.0": "AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Docker Inc., \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "10 (Debian GNU/Linux), \u0434\u043e 19.03.15 (Docker), \u043e\u0442 20.0.0 \u0434\u043e 20.10.3 (Docker), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), \u0434\u043e 2.1 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Docker:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043e 20.10.5+dfsg1-1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f Debian:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 docker.io) \u0434\u043e 18.09.1+dfsg1-7.1+deb10u3 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0441\u043d\u043e\u0432\u0430:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f docker.io \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 18.09.1+dfsg1-7.1+deb10u3.osnova5\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux Special Edition 1.7:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 docker.io \u0434\u043e 24.0.2+astra14 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f docker.io \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 18.09.1+dfsg1-7.1+deb10u3.osnova5\n\n\u0414\u043b\u044f Astra Linux Special Edition 4.7:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 docker.io \u0434\u043e 24.0.2+ci1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "22.12.2020",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "27.04.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "06.04.2021",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-01893",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-21284",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Docker, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 ARM (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u043f\u0446\u0438\u0438 --userns-remap \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u0440\u0430\u0437\u0432\u0451\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044f \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 \u0432 \u0441\u0440\u0435\u0434\u0430\u0445 \u0441 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u043e\u0439 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0438\u0437\u0430\u0446\u0438\u0438 Docker, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u043c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435\u043c \u0438\u043c\u0435\u043d\u0438 \u043f\u0443\u0442\u0438 \u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u043e\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0438\u043c\u0435\u043d\u0438 \u043f\u0443\u0442\u0438 \u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443 \u0441 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c (\u00ab\u041e\u0431\u0445\u043e\u0434 \u043f\u0443\u0442\u0438\u00bb) (CWE-22)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u043f\u0446\u0438\u0438 --userns-remap \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u0440\u0430\u0437\u0432\u0451\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044f \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 \u0432 \u0441\u0440\u0435\u0434\u0430\u0445 \u0441 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u043e\u0439 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0438\u0437\u0430\u0446\u0438\u0438 Docker \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u043c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435\u043c \u0438\u043c\u0435\u043d\u0438 \u043f\u0443\u0442\u0438 \u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://docs.docker.com/engine/release-notes/#20103\nhttps://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21284\nhttps://security-tracker.debian.org/tracker/CVE-2021-21284\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.1/\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041f\u041e \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0418\u0418",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-22",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041d\u0438\u0437\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 2,7)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,6)"
}

CNVD-2021-14789

Vulnerability from cnvd - Published: 2021-03-07

Title

Docker路径遍历漏洞

Description

Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器（轻量级虚拟机）并部署和运行应用程序，以及通过配置文件实现应用程序的自动化安装、部署和升级。 Docker before versions 9.03.15, 20.10.3存在安全漏洞，该漏洞源于被映射的命名空间中的根用户可以访问主机文件系统。目前没有详细漏洞细节提供。

Severity

低

Patch Name

Docker路径遍历漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-21284

Impacted products

Name
['Docker Docker <9.03.15', 'Docker Docker <20.10.3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21284",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21284"
    }
  },
  "description": "Docker\u662f\u7f8e\u56fdDocker\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5e94\u7528\u5bb9\u5668\u5f15\u64ce\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u5728Linux\u7cfb\u7edf\u4e0a\u521b\u5efa\u4e00\u4e2a\u5bb9\u5668\uff08\u8f7b\u91cf\u7ea7\u865a\u62df\u673a\uff09\u5e76\u90e8\u7f72\u548c\u8fd0\u884c\u5e94\u7528\u7a0b\u5e8f\uff0c\u4ee5\u53ca\u901a\u8fc7\u914d\u7f6e\u6587\u4ef6\u5b9e\u73b0\u5e94\u7528\u7a0b\u5e8f\u7684\u81ea\u52a8\u5316\u5b89\u88c5\u3001\u90e8\u7f72\u548c\u5347\u7ea7\u3002\n\nDocker before versions 9.03.15, 20.10.3\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u88ab\u6620\u5c04\u7684\u547d\u540d\u7a7a\u95f4\u4e2d\u7684\u6839\u7528\u6237\u53ef\u4ee5\u8bbf\u95ee\u4e3b\u673a\u6587\u4ef6\u7cfb\u7edf\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-14789",
  "openTime": "2021-03-07",
  "patchDescription": "Docker\u662f\u7f8e\u56fdDocker\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5e94\u7528\u5bb9\u5668\u5f15\u64ce\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u5728Linux\u7cfb\u7edf\u4e0a\u521b\u5efa\u4e00\u4e2a\u5bb9\u5668\uff08\u8f7b\u91cf\u7ea7\u865a\u62df\u673a\uff09\u5e76\u90e8\u7f72\u548c\u8fd0\u884c\u5e94\u7528\u7a0b\u5e8f\uff0c\u4ee5\u53ca\u901a\u8fc7\u914d\u7f6e\u6587\u4ef6\u5b9e\u73b0\u5e94\u7528\u7a0b\u5e8f\u7684\u81ea\u52a8\u5316\u5b89\u88c5\u3001\u90e8\u7f72\u548c\u5347\u7ea7\u3002\r\n\r\nDocker before versions 9.03.15, 20.10.3\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u88ab\u6620\u5c04\u7684\u547d\u540d\u7a7a\u95f4\u4e2d\u7684\u6839\u7528\u6237\u53ef\u4ee5\u8bbf\u95ee\u4e3b\u673a\u6587\u4ef6\u7cfb\u7edf\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Docker\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Docker Docker \u003c9.03.15",
      "Docker Docker \u003c20.10.3"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-21284",
  "serverity": "\u4f4e",
  "submitTime": "2021-02-26",
  "title": "Docker\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

FKIE_CVE-2021-21284

Vulnerability from fkie_nvd - Published: 2021-02-02 18:15 - Updated: 2024-11-21 05:47

Severity ?

6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://docs.docker.com/engine/release-notes/#20103	Release Notes, Vendor Advisory
security-advisories@github.com	https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/moby/moby/releases/tag/v19.03.15	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/moby/moby/releases/tag/v20.10.3	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc	Third Party Advisory
security-advisories@github.com	https://security.gentoo.org/glsa/202107-23	Patch, Third Party Advisory
security-advisories@github.com	https://security.netapp.com/advisory/ntap-20210226-0005/	Third Party Advisory
security-advisories@github.com	https://www.debian.org/security/2021/dsa-4865	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.docker.com/engine/release-notes/#20103	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/moby/moby/releases/tag/v19.03.15	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/moby/moby/releases/tag/v20.10.3	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202107-23	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20210226-0005/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2021/dsa-4865	Third Party Advisory

Impacted products

Vendor	Product	Version
docker	docker	*
docker	docker	*
debian	debian_linux	10.0
netapp	e-series_santricity_os_controller	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C6B22016-AB78-4E82-9F65-AEC2526F3EDF",
              "versionEndExcluding": "19.03.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4427D14-D219-490B-8467-40FE253775A1",
              "versionEndExcluding": "20.10.3",
              "versionStartIncluding": "20.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD1E9594-C46F-40D1-8BC2-6B16635B55C4",
              "versionEndIncluding": "11.60.3",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user."
    },
    {
      "lang": "es",
      "value": "En Docker versiones anteriores a 9.03.15, 20.10.3, se presenta una vulnerabilidad que involucra la opci\u00f3n --userns-remap en la que un acceso a una root reasignada permite una escalada de privilegios a la root actual.\u0026#xa0;Cuando se usa \"--userns-remap\", si el usuario root en el espacio de nombres reasignado tiene acceso al sistema de archivos del host, puede modificar archivos en \"/var/lib/docker/(remapping)\" que causa la escritura de archivos con privilegios extendidos.\u0026#xa0;Las versiones 20.10.3 y 19.03.15 contienen parches que evitan una escalada de privilegios del usuario reasignado"
    }
  ],
  "id": "CVE-2021-21284",
  "lastModified": "2024-11-21T05:47:55.867",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "ADJACENT_NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 2.7,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:A/AC:L/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 5.1,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-02-02T18:15:11.827",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://docs.docker.com/engine/release-notes/#20103"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/moby/moby/releases/tag/v19.03.15"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/moby/moby/releases/tag/v20.10.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202107-23"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2021/dsa-4865"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://docs.docker.com/engine/release-notes/#20103"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/moby/moby/releases/tag/v19.03.15"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/moby/moby/releases/tag/v20.10.3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202107-23"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2021/dsa-4865"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-7452-XQPJ-6RPC

Vulnerability from github – Published: 2024-01-31 23:14 – Updated: 2024-06-10 18:39

Summary

moby Access to remapped root allows privilege escalation to real root

Details

Impact

When using --userns-remap, if the root user in the remapped namespace has access to the host filesystem they can modify files under /var/lib/docker/<remapping> that cause writing files with extended privileges.

Patches

Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

Credits

Maintainers would like to thank Alex Chapman for discovering the vulnerability; @awprice, @nathanburrell, @raulgomis, @chris-walz, @erin-jensby, @bassmatt, @mark-adams, @dbaxa for working on it and Zac Ellis for responsibly disclosing it to security@docker.com

Severity ?

6.8 (Medium)


                  
                    CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/moby/moby"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "19.3.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/moby/moby"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.10.0-beta1"
            },
            {
              "fixed": "20.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-31T23:14:25Z",
    "nvd_published_at": "2021-02-02T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen using `--userns-remap`, if the root user in the remapped namespace has access to the host filesystem they can modify files under `/var/lib/docker/\u003cremapping\u003e` that cause writing files with extended privileges.\n\n### Patches\n\nVersions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.\n\n### Credits\n\nMaintainers would like to thank Alex Chapman for discovering the vulnerability; @awprice, @nathanburrell, @raulgomis, @chris-walz, @erin-jensby, @bassmatt, @mark-adams, @dbaxa for working on it and Zac Ellis for responsibly disclosing it to security@docker.com",
  "id": "GHSA-7452-xqpj-6rpc",
  "modified": "2024-06-10T18:39:17Z",
  "published": "2024-01-31T23:14:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21284"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
    },
    {
      "type": "WEB",
      "url": "https://docs.docker.com/engine/release-notes/#20103"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moby/moby/releases/tag/v19.03.15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moby/moby/releases/tag/v20.10.3"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-23"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210226-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4865"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "moby Access to remapped root allows privilege escalation to real root"
}

GSD-2021-21284

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-21284

Aliases

CVE-2021-21284

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-21284",
    "description": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.",
    "id": "GSD-2021-21284",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-21284.html",
      "https://www.debian.org/security/2021/dsa-4865",
      "https://security.archlinux.org/CVE-2021-21284",
      "https://alas.aws.amazon.com/cve/html/CVE-2021-21284.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-21284"
      ],
      "details": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.",
      "id": "GSD-2021-21284",
      "modified": "2023-12-13T01:23:10.576438Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-21284",
        "STATE": "PUBLIC",
        "TITLE": "privilege escalation in Moby"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "moby",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 19.03.15"
                        },
                        {
                          "version_value": "\u003e= 20.0.0, \u003c 20.10.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "moby"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://docs.docker.com/engine/release-notes/#20103",
            "refsource": "MISC",
            "url": "https://docs.docker.com/engine/release-notes/#20103"
          },
          {
            "name": "https://github.com/moby/moby/releases/tag/v20.10.3",
            "refsource": "MISC",
            "url": "https://github.com/moby/moby/releases/tag/v20.10.3"
          },
          {
            "name": "https://github.com/moby/moby/releases/tag/v19.03.15",
            "refsource": "MISC",
            "url": "https://github.com/moby/moby/releases/tag/v19.03.15"
          },
          {
            "name": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc",
            "refsource": "CONFIRM",
            "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
          },
          {
            "name": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c",
            "refsource": "MISC",
            "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20210226-0005/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
          },
          {
            "name": "DSA-4865",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2021/dsa-4865"
          },
          {
            "name": "GLSA-202107-23",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202107-23"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-7452-xqpj-6rpc",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "20.10.3",
                "versionStartIncluding": "20.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "19.03.15",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "11.60.3",
                "versionStartIncluding": "11.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21284"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                },
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
            },
            {
              "name": "https://docs.docker.com/engine/release-notes/#20103",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://docs.docker.com/engine/release-notes/#20103"
            },
            {
              "name": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
            },
            {
              "name": "https://github.com/moby/moby/releases/tag/v19.03.15",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/moby/moby/releases/tag/v19.03.15"
            },
            {
              "name": "https://github.com/moby/moby/releases/tag/v20.10.3",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/moby/moby/releases/tag/v20.10.3"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210226-0005/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
            },
            {
              "name": "DSA-4865",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2021/dsa-4865"
            },
            {
              "name": "GLSA-202107-23",
              "refsource": "GENTOO",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202107-23"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 2.7,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:A/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 5.1,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 4.0
        }
      },
      "lastModifiedDate": "2022-04-29T19:22Z",
      "publishedDate": "2021-02-02T18:15Z"
    }
  }
}

MSRC_CVE-2021-21284

Vulnerability from csaf_microsoft - Published: 2021-02-02 00:00 - Updated: 2021-07-27 00:00

Summary

privilege escalation in Moby

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2021-21284

6.8 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected products

Fixed 3 products

Product	Identifier	Version	Remediation
Unresolved product id: 19029-16820		—
Unresolved product id: 19030-16820		—
Unresolved product id: 16833-16820		—

Known affected 3 products

Product	Version	Remediation
Unresolved product id: 16820-2	—	Vendor Fix fix
Unresolved product id: 16820-1	—	Vendor Fix fix
Unresolved product id: 16820-3	—	Vendor Fix fix

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2021/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2021/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2021-21284 privilege escalation in Moby - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2021/msrc_cve-2021-21284.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "privilege escalation in Moby",
    "tracking": {
      "current_release_date": "2021-07-27T00:00:00.000Z",
      "generator": {
        "date": "2025-10-19T21:43:39.683Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2021-21284",
      "initial_release_date": "2021-02-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2021-07-16T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2021-07-27T00:00:00.000Z",
          "legacy_version": "1.1",
          "number": "2",
          "summary": "Added moby-engine to CBL-Mariner 1.0"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.0",
                "product": {
                  "name": "CBL Mariner 1.0",
                  "product_id": "16820"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccm1 moby-engine 19.03.15+azure-2",
                "product": {
                  "name": "\u003ccm1 moby-engine 19.03.15+azure-2",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "cm1 moby-engine 19.03.15+azure-2",
                "product": {
                  "name": "cm1 moby-engine 19.03.15+azure-2",
                  "product_id": "19029"
                }
              }
            ],
            "category": "product_name",
            "name": "moby-engine"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccm1 moby-cli 19.03.15+azure-2",
                "product": {
                  "name": "\u003ccm1 moby-cli 19.03.15+azure-2",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "cm1 moby-cli 19.03.15+azure-2",
                "product": {
                  "name": "cm1 moby-cli 19.03.15+azure-2",
                  "product_id": "19030"
                }
              }
            ],
            "category": "product_name",
            "name": "moby-cli"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccm1 moby-buildx 0.4.1+azure-3",
                "product": {
                  "name": "\u003ccm1 moby-buildx 0.4.1+azure-3",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "cm1 moby-buildx 0.4.1+azure-3",
                "product": {
                  "name": "cm1 moby-buildx 0.4.1+azure-3",
                  "product_id": "16833"
                }
              }
            ],
            "category": "product_name",
            "name": "moby-buildx"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccm1 moby-engine 19.03.15+azure-2 as a component of CBL Mariner 1.0",
          "product_id": "16820-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cm1 moby-engine 19.03.15+azure-2 as a component of CBL Mariner 1.0",
          "product_id": "19029-16820"
        },
        "product_reference": "19029",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccm1 moby-cli 19.03.15+azure-2 as a component of CBL Mariner 1.0",
          "product_id": "16820-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cm1 moby-cli 19.03.15+azure-2 as a component of CBL Mariner 1.0",
          "product_id": "19030-16820"
        },
        "product_reference": "19030",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccm1 moby-buildx 0.4.1+azure-3 as a component of CBL Mariner 1.0",
          "product_id": "16820-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cm1 moby-buildx 0.4.1+azure-3 as a component of CBL Mariner 1.0",
          "product_id": "16833-16820"
        },
        "product_reference": "16833",
        "relates_to_product_reference": "16820"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-21284",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "19029-16820",
          "19030-16820",
          "16833-16820"
        ],
        "known_affected": [
          "16820-2",
          "16820-1",
          "16820-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2021-21284 privilege escalation in Moby - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2021/msrc_cve-2021-21284.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2021-07-16T00:00:00.000Z",
          "details": "-:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "16820-2",
            "16820-1",
            "16820-3"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalsScore": 0.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "temporalScore": 6.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "16820-2",
            "16820-1",
            "16820-3"
          ]
        }
      ],
      "title": "privilege escalation in Moby"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-21284 (GCVE-0-2021-21284)

Solution

Solution

Solution

Solution

Impact

Patches

Credits

Tags

Sightings

Nomenclature