x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-6fj5-m822-rqx8 #2502

GoVulnBot · 2024-02-01T00:01:15Z

In GitHub Security Advisory GHSA-6fj5-m822-rqx8, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/moby/moby	20.10.3	>= 20.10.0-beta1, < 20.10.3

Cross references:

Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-24769 #390 EFFECTIVELY_PRIVATE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-8fvr-5rqf-3wwh #638 NOT_IMPORTABLE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v4h8-794j-g8mm #708 NOT_IMPORTABLE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vj3f-3286-r4pf #751 NOT_IMPORTABLE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-36109 #985 NOT_IMPORTABLE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vp35-85q5-9f25 #1107 NOT_IMPORTABLE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28840 #1699 EFFECTIVELY_PRIVATE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28841 #1700 EFFECTIVELY_PRIVATE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28842 #1701 EFFECTIVELY_PRIVATE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2017-16539 #2199 LEGACY_FALSE_POSITIVE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-10892 #2207 LEGACY_FALSE_POSITIVE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-12608 #2209 LEGACY_FALSE_POSITIVE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2018-15664 #2212 LEGACY_FALSE_POSITIVE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2019-13139 #2236 LEGACY_FALSE_POSITIVE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21284 #2316 LEGACY_FALSE_POSITIVE
CVE-2021-21285 appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21285 #2317 LEGACY_FALSE_POSITIVE
Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21285 #2317 LEGACY_FALSE_POSITIVE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/moby/moby
      versions:
        - introduced: 20.10.0-beta1
          fixed: 20.10.3
      packages:
        - package: github.com/moby/moby
    - module: github.com/moby/moby
      versions:
        - fixed: 19.3.15
      packages:
        - package: github.com/moby/moby
summary: moby docker daemon crash during image pull of malicious image
cves:
    - CVE-2021-21285
ghsas:
    - GHSA-6fj5-m822-rqx8
references:
    - advisory: https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8
    - web: https://nvd.nist.gov/vuln/detail/CVE-2021-21285
    - fix: https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30
    - web: https://docs.docker.com/engine/release-notes/#20103
    - web: https://github.com/moby/moby/releases/tag/v19.03.15
    - web: https://github.com/moby/moby/releases/tag/v20.10.3
    - web: https://security.gentoo.org/glsa/202107-23
    - web: https://security.netapp.com/advisory/ntap-20210226-0005/
    - web: https://www.debian.org/security/2021/dsa-4865
    - advisory: https://github.com/advisories/GHSA-6fj5-m822-rqx8

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-02-20T22:12:53Z

Change https://go.dev/cl/565379 mentions this issue: data/excluded: batch add 7 excluded reports

tatianab · 2024-02-20T22:55:02Z

Duplicate of #2317

timothy-king assigned tatianab Feb 7, 2024

tatianab added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Feb 20, 2024

tatianab marked this as a duplicate of #2317 Feb 20, 2024

tatianab closed this as completed Feb 20, 2024

tatianab added duplicate and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Feb 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-6fj5-m822-rqx8 #2502

x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-6fj5-m822-rqx8 #2502

GoVulnBot commented Feb 1, 2024

gopherbot commented Feb 20, 2024

tatianab commented Feb 20, 2024

x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-6fj5-m822-rqx8 #2502

x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-6fj5-m822-rqx8 #2502

Comments

GoVulnBot commented Feb 1, 2024

gopherbot commented Feb 20, 2024

tatianab commented Feb 20, 2024