6.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21284

CVE-2021-21284: moby Access to remapped root allows privilege escalation to real root

Impact

When using --userns-remap, if the root user in the remapped namespace has access to the host filesystem they can modify files under /var/lib/docker/<remapping> that cause writing files with extended privileges.

Patches

Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

Credits

Maintainers would like to thank Alex Chapman for discovering the vulnerability; @awprice, @nathanburrell, @raulgomis, @chris-walz, @erin-jensby, @bassmatt, @mark-adams, @dbaxa for working on it and Zac Ellis for responsibly disclosing it to security@docker.com

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-21284

CVE-2021-21284:

6.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/moby/moby	go	< 19.3.15	19.3.15
github.com/moby/moby	go	>= 20.10.0-beta1, < 20.10.3	20.10.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from directory creation functions using remapped namespace credentials (daemon.idMapping.RootPair()) instead of host root credentials. The patched commit 64bd448 shows systematic replacement of these calls with idtools.CurrentIdentity() to enforce host-level permissions. Key functions like MkdirAllAndChown and setupDaemonRoot were creating directories writable by the remapped user, allowing path traversal attacks on Docker's state directories. The graph driver implementations (aufs, overlay, etc.) showed similar vulnerable patterns that were patched by switching to host identity checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

6.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-21284: moby Access to remapped root allows privilege escalation to real root

Impact

Patches

Credits

CVE-2021-21284:

6.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

6.8

6.8

CVE-2021-21284: moby Access to remapped root allows privilege escalation to real root

Impact

Patches

Credits

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-21284: moby Access to remapped root allows privilege escalation to real root

Impact

Patches

Credits

CVE-2021-21284:

6.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability IntelligenceMiggo AI

6.8

6.8

CVE-2021-21284: moby Access to remapped root allows privilege escalation to real root

Impact

Patches

Credits

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI