Moderate severityNVD Advisory· Published Feb 2, 2021· Updated Aug 3, 2024
privilege escalation in Moby
CVE-2021-21284
Description
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/moby/mobyGo | < 19.3.15 | 19.3.15 |
github.com/moby/mobyGo | >= 20.10.0-beta1, < 20.10.3 | 20.10.3 |
Affected products
120- osv-coords119 versionspkg:apk/chainguard/docker-machine-driver-harvesterpkg:apk/chainguard/py3.10-dockerpkg:apk/chainguard/py3.11-dockerpkg:apk/chainguard/py3.12-dockerpkg:apk/chainguard/py3.13-dockerpkg:apk/chainguard/py3-dockerpkg:apk/chainguard/py3-supported-dockerpkg:apk/chainguard/rancher-machinepkg:apk/wolfi/docker-machine-driver-harvesterpkg:apk/wolfi/py3.10-dockerpkg:apk/wolfi/py3.11-dockerpkg:apk/wolfi/py3.12-dockerpkg:apk/wolfi/py3.13-dockerpkg:apk/wolfi/py3-dockerpkg:apk/wolfi/py3-supported-dockerpkg:apk/wolfi/rancher-machinepkg:golang/github.com/moby/mobypkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/docker&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/docker-runc&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/docker-stable&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/docker-stable&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/fish&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/golang-github-docker-libnetwork&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/runc&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/runc&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/containerd&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP2pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/containerd&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/containerd&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/containerd&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/docker&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP2pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/docker&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/docker&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/docker&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/docker-runc&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP2pkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/docker-runc&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/docker-runc&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/docker-runc&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/docker-stable&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP6pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP7pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP2pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/runc&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/runc&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP2pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/runc&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/runc&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/runc&distro=SUSE%20Manager%20Server%204.0
< 1.0.5-r0+ 118 more
- (no CPE)range: < 1.0.5-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.15.0.137-r0
- (no CPE)range: < 1.0.5-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.15.0.137-r0
- (no CPE)range: < 19.3.15
- (no CPE)range: < 1.3.9-lp152.2.3.1
- (no CPE)range: < 1.4.4-5.32.1
- (no CPE)range: < 19.03.15_ce-lp152.2.3.1
- (no CPE)range: < 20.10.6_ce-6.49.3
- (no CPE)range: < 20.10.6_ce-2.1
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-15.1
- (no CPE)range: < 2.7.1-lp152.5.3.1
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1
- (no CPE)range: < 1.0.0~rc93-lp152.2.3.1
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.3.9-5.29.3
- (no CPE)range: < 1.3.9-5.29.3
- (no CPE)range: < 1.3.9-5.29.3
- (no CPE)range: < 1.4.4-5.32.1
- (no CPE)range: < 1.4.4-5.32.1
- (no CPE)range: < 1.4.4-5.32.1
- (no CPE)range: < 1.3.9-16.35.1
- (no CPE)range: < 1.3.9-5.29.3
- (no CPE)range: < 1.4.4-5.32.1
- (no CPE)range: < 1.3.9-5.29.3
- (no CPE)range: < 1.3.9-5.29.3
- (no CPE)range: < 1.4.4-5.32.1
- (no CPE)range: < 1.4.4-5.32.1
- (no CPE)range: < 1.3.9-5.29.3
- (no CPE)range: < 1.3.9-5.29.3
- (no CPE)range: < 1.3.9-5.29.3
- (no CPE)range: < 1.3.9-5.29.3
- (no CPE)range: < 19.03.15_ce-6.43.3
- (no CPE)range: < 19.03.15_ce-6.43.3
- (no CPE)range: < 19.03.15_ce-6.43.3
- (no CPE)range: < 20.10.6_ce-6.49.3
- (no CPE)range: < 20.10.6_ce-6.49.3
- (no CPE)range: < 20.10.6_ce-6.49.3
- (no CPE)range: < 19.03.15_ce-98.60.2
- (no CPE)range: < 19.03.15_ce-6.43.3
- (no CPE)range: < 20.10.6_ce-6.49.3
- (no CPE)range: < 19.03.15_ce-6.43.3
- (no CPE)range: < 19.03.15_ce-6.43.3
- (no CPE)range: < 20.10.6_ce-6.49.3
- (no CPE)range: < 20.10.6_ce-6.49.3
- (no CPE)range: < 19.03.15_ce-6.43.3
- (no CPE)range: < 19.03.15_ce-6.43.3
- (no CPE)range: < 19.03.15_ce-6.43.3
- (no CPE)range: < 19.03.15_ce-6.43.3
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-6.45.3
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-6.45.3
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-6.45.3
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-1.52.1
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-6.45.3
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-6.45.3
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-6.45.3
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-6.45.3
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-6.45.3
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-6.45.3
- (no CPE)range: < 1.0.0rc10+gitr3981_dc9208a3303f-6.45.3
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-1.20.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-1.20.1
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-4.28.3
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-4.28.3
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-4.28.3
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-37.1
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-4.28.3
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-4.28.3
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-4.28.3
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-4.28.3
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-4.28.3
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-4.28.3
- (no CPE)range: < 0.7.0.1+gitr2908_55e924b8a842-4.28.3
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-16.8.1
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- (no CPE)range: < 1.0.0~rc93-1.14.2
- Range: < 19.03.15
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-7452-xqpj-6rpcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21284ghsaADVISORY
- security.gentoo.org/glsa/202107-23ghsavendor-advisoryx_refsource_GENTOOWEB
- www.debian.org/security/2021/dsa-4865ghsavendor-advisoryx_refsource_DEBIANWEB
- docs.docker.com/engine/release-notes/ghsax_refsource_MISCWEB
- github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7cghsax_refsource_MISCWEB
- github.com/moby/moby/releases/tag/v19.03.15ghsax_refsource_MISCWEB
- github.com/moby/moby/releases/tag/v20.10.3ghsax_refsource_MISCWEB
- github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpcghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20210226-0005ghsaWEB
- security.netapp.com/advisory/ntap-20210226-0005/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.