CVE-2021-41089: `docker cp` allows unexpected chmod of host files in Moby Docker Engine
A bug was found in Moby (Docker Engine) where attempting to copy files using docker cp into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
References
- cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf
- github.com/advisories/GHSA-v994-f8vw-g7j4
- github.com/moby/moby
- github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a
- github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB
- nvd.nist.gov/vuln/detail/CVE-2021-41089
Code Behaviors & Features
Detect and mitigate CVE-2021-41089 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →