VulnerableCode Package Details - pkg:deb/ubuntu/docker.io@20.10.7-0ubuntu1~20.04.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-98m9-ft46-aaah Aliases: CVE-2021-41089 GHSA-v994-f8vw-g7j4	Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.	20.10.7-0ubuntu1~20.04.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-fckq-6rf5-aaaf Aliases: CVE-2021-41092 GHSA-99pg-grm5-qq3v	Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. For users unable to update ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH.	20.10.7-0ubuntu5~20.04.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-98m9-ft46-aaah
Aliases:
CVE-2021-41089
GHSA-v994-f8vw-g7j4

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.

20.10.7-0ubuntu1~20.04.2
Affected by 1 other vulnerability.

VCID-fckq-6rf5-aaaf
Aliases:
CVE-2021-41092
GHSA-99pg-grm5-qq3v

Docker CLI is the command line interface for the docker container runtime. A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. For users unable to update ensure that any configured credsStore or credHelpers entries in the configuration file reference an installed credential helper that is executable and on the PATH.

20.10.7-0ubuntu5~20.04.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cvtk-d332-aaaf	In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.	CVE-2021-21285 GHSA-6fj5-m822-rqx8
VCID-th43-scy8-aaab	In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.	CVE-2021-21284 GHSA-7452-xqpj-6rpc
VCID-wgvq-269b-aaaq	An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.	CVE-2020-13401 GHSA-qrrc-ww9x-r43g

Vulnerability

Summary

Aliases

VCID-cvtk-d332-aaaf

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVE-2021-21285
GHSA-6fj5-m822-rqx8

VCID-th43-scy8-aaab

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

CVE-2021-21284
GHSA-7452-xqpj-6rpc

VCID-wgvq-269b-aaaq

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.

CVE-2020-13401
GHSA-qrrc-ww9x-r43g

Next non-vulnerable version	20.10.7-0ubuntu5~20.04.2
Latest non-vulnerable version	20.10.7-0ubuntu5~20.04.2
Risk	4.5