CVE-2021-21285

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:N/A:P

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://docs.docker.com/engine/release-notes/#20103	Release Notes Vendor Advisory
https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30	Patch Third Party Advisory
https://github.com/moby/moby/releases/tag/v19.03.15	Release Notes Third Party Advisory
https://github.com/moby/moby/releases/tag/v20.10.3	Release Notes Third Party Advisory
https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8	Third Party Advisory
https://security.gentoo.org/glsa/202107-23	Patch Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0005/	Third Party Advisory
https://www.debian.org/security/2021/dsa-4865	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:docker:docker::::::::
	cpe:2.3:a:docker:docker::::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-02-02 18:15

Updated : 2022-10-25 12:55

NVD link : CVE-2021-21285

Mitre link : CVE-2021-21285

CVE.ORG link : CVE-2021-21285

JSON object : View

Products Affected

debian

debian_linux

docker

docker

netapp

e-series_santricity_os_controller

CWE

CWE-754

Improper Check for Unusual or Exceptional Conditions

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2021-21285", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2021-02-02T18:15:12.203", "references": [{"url": "https://docs.docker.com/engine/release-notes/#20103", "tags": ["Release Notes", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/moby/moby/releases/tag/v19.03.15", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/moby/moby/releases/tag/v20.10.3", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.gentoo.org/glsa/202107-23", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20210226-0005/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.debian.org/security/2021/dsa-4865", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-754"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing."}, {"lang": "es", "value": "En Docker versiones anteriores a 9.03.15, 20.10.3, se presenta una vulnerabilidad en la que al extraer un manifiesto de imagen de Docker malformado intencionalmente, bloquea al demonio dockerd. Las versiones 20.10.3 y 19.03.15 contienen parches que impiden al demonio bloquearse"}], "lastModified": "2022-10-25T12:55:28.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6B22016-AB78-4E82-9F65-AEC2526F3EDF", "versionEndExcluding": "19.03.15"}, {"criteria": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4427D14-D219-490B-8467-40FE253775A1", "versionEndExcluding": "20.10.3", "versionStartIncluding": "20.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7402489D-85E5-4662-BF87-259740DC72F8", "versionEndIncluding": "11.60.3", "versionStartIncluding": "11.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}