x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21284

[tatianab]

CVE-2021-21284 references github.com/moby/moby, which may be a Go module.

Description:
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-21284
• web: https://docs.docker.com/engine/release-notes/#20103
• web: https://github.com/moby/moby/releases/tag/v20.10.3
• web: https://github.com/moby/moby/releases/tag/v19.03.15
• advisory: GHSA-7452-xqpj-6rpc
• fix: moby/moby@64bd448
• web: https://security.netapp.com/advisory/ntap-20210226-0005/
• web: https://www.debian.org/security/2021/dsa-4865
• web: https://security.gentoo.org/glsa/202107-23
• Imported by: https://pkg.go.dev/github.com/moby/moby?tab=importedby

Cross references:

• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-24769 #390 EFFECTIVELY_PRIVATE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-8fvr-5rqf-3wwh #638 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v4h8-794j-g8mm #708 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vj3f-3286-r4pf #751 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-36109 #985 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vp35-85q5-9f25 #1107 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28840 #1699 EFFECTIVELY_PRIVATE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28841 #1700 EFFECTIVELY_PRIVATE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28842 #1701 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/moby/moby
      vulnerable_at: 24.0.7+incompatible
      packages:
        - package: moby
cves:
    - CVE-2021-21284
references:
    - web: https://docs.docker.com/engine/release-notes/#20103
    - web: https://github.com/moby/moby/releases/tag/v20.10.3
    - web: https://github.com/moby/moby/releases/tag/v19.03.15
    - advisory: https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc
    - fix: https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c
    - web: https://security.netapp.com/advisory/ntap-20210226-0005/
    - web: https://www.debian.org/security/2021/dsa-4865
    - web: https://security.gentoo.org/glsa/202107-23

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports