DirectorySecurity Advisories
Sign In
Security Advisories

CGA-cmvm-wqr5-v4h3

Published

Last updated

https://images.chainguard.dev/security/CGA-cmvm-wqr5-v4h3
Package

docker

Latest Update
Under investigation
Aliases
  • CVE-2021-41089
  • GHSA-v994-f8vw-g7j4

Severity

2.8

Low

CVSS V3

Summary

docker cp allows unexpected chmod of host files in Moby Docker Engine

Description

Impact

A bug was found in Moby (Docker Engine) where attempting to copy files using docker cp into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.

Patches

This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.

Workarounds

Ensure you only run trusted containers.

Credits

The Moby project would like to thank Lei Wang and Ruizhi Xiao for responsibly disclosing this issue in accordance with the Moby security policy.

For more information

If you have any questions or comments about this advisory:

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsPricingOpen SourceCareersNewsroomLegal

Resources

Unchained BlogEventsTrust CenterDocumentation