5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-41091

GHSA ID

GHSA-3fwx-pjgw-3558

EPSS Score

0.8895%

CWE

CWE-281

Published

1/31/2024

Updated

5/14/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41091

CVE-2021-41091: Moby (Docker Engine) Insufficiently restricted permissions on data directory

Impact

A bug was found in Moby (Docker Engine) where the data directory (typically /var/lib/docker) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files.

Patches

This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed.

Workarounds

Limit access to the host to trusted users. Limit access to host volumes to trusted containers.

Credits

The Moby project would like to thank Joan Bruguera for responsibly disclosing this issue in accordance with the Moby security policy.

For more information

If you have any questions or comments about this advisory:

Open an issue
Email us at security@docker.com if you think you’ve found a security bug

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-41091

CVE-2021-41091:

5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-41091

GHSA ID

GHSA-3fwx-pjgw-3558

EPSS Score

0.8895%

CWE

CWE-281

Published

1/31/2024

Updated

5/14/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/moby/moby	go	< 20.10.9	20.10.9
github.com/docker/docker	go	< 20.10.9	20.10.9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from directory creation calls using 0701 permissions (world-executable) instead of 0710 (group-restricted). The patched commit shows multiple instances where these functions were modified across storage drivers and daemon components. The 0701 permission allowed any user to traverse directories under /var/lib/docker, while 0710 properly restricts access to the docker group. Key functions identified are idtools.MkdirAllAndChown and idtools.MkdirAndChown with the vulnerable permission patterns, found in multiple files handling Docker's data directory structure creation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-41091: Moby (Docker Engine) Insufficiently restricted permissions on data directory

Impact

Patches

Workarounds

Credits

For more information

CVE-2021-41091:

5.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2021-41091: Moby (Docker Engine) Insufficiently restricted permissions on data directory

Impact

Patches

Workarounds

Credits

For more information

5.9

5.9

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI