CVE-2021-41089
LOWMoby < 20.10.9 - Unix File Permission Changes via docker cp
Title source: llmDescription
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_confirm
https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4
Patch, Third Party Advisory x_refsource_misc
https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/
Vendor Advisory x_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf
Scores
CVSS v3
2.8
EPSS
0.0027
EPSS Percentile
18.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Details
CWE
CWE-281
Status
published
Products (4)
docker/docker
0 - 20.10.9Go
fedoraproject/fedora
34
fedoraproject/fedora
35
mobyproject/moby
< 20.10.9
Published
Oct 04, 2021
Tracked Since
Feb 18, 2026