USN-5103-1

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/notices/USN-5103-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5103-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-5103-1
Upstream
Related
Published
2021-10-04T22:48:39.382089Z
Modified
2025-10-13T04:35:38Z
Summary
docker.io vulnerability
Details

Lei Wang and Ruizhi Xiao discovered that the Moby Docker engine in Docker incorrectly allowed the docker cp command to make permissions changes in the host filesystem in some situations. A local attacker could possibly use to this to expose sensitive information or gain administrative privileges.

References

Affected packages

Ubuntu:Pro:16.04:LTS / docker.io

Package

Name
docker.io
Purl
pkg:deb/ubuntu/docker.io@18.09.7-0ubuntu1~16.04.9+esm1?arch=source&distro=esm-infra/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
18.09.7-0ubuntu1~16.04.9+esm1

Affected versions

1.*

1.6.2~dfsg1-1ubuntu4
1.10.2-0ubuntu3
1.10.2-0ubuntu4
1.10.3-0ubuntu1
1.10.3-0ubuntu4
1.10.3-0ubuntu5
1.10.3-0ubuntu6
1.11.2-0ubuntu5~16.04
1.12.1-0ubuntu13~16.04.1
1.12.3-0ubuntu4~16.04.2
1.12.6-0ubuntu1~16.04.1
1.13.1-0ubuntu1~16.04.2

17.*

17.03.2-0ubuntu2~16.04.1

18.*

18.06.1-0ubuntu1~16.04.2
18.06.1-0ubuntu1.2~16.04.1
18.09.2-0ubuntu1~16.04.1
18.09.5-0ubuntu1~16.04.2
18.09.7-0ubuntu1~16.04.1
18.09.7-0ubuntu1~16.04.4
18.09.7-0ubuntu1~16.04.5
18.09.7-0ubuntu1~16.04.6
18.09.7-0ubuntu1~16.04.7

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "18.09.7-0ubuntu1~16.04.9+esm1",
            "binary_name": "docker.io"
        },
        {
            "binary_version": "18.09.7-0ubuntu1~16.04.9+esm1",
            "binary_name": "golang-docker-dev"
        },
        {
            "binary_version": "18.09.7-0ubuntu1~16.04.9+esm1",
            "binary_name": "golang-github-docker-docker-dev"
        },
        {
            "binary_version": "18.09.7-0ubuntu1~16.04.9+esm1",
            "binary_name": "vim-syntax-docker"
        }
    ],
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"
}

Database specific 

{
    "cves_map": {
        "ecosystem": "Ubuntu:Pro:16.04:LTS",
        "cves": [
            {
                "id": "CVE-2021-41089",
                "severity": [
                    {
                        "type": "CVSS_V3",
                        "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"
                    },
                    {
                        "type": "CVSS_V3",
                        "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N"
                    },
                    {
                        "type": "Ubuntu",
                        "score": "medium"
                    }
                ]
            }
        ]
    }
}

Ubuntu:18.04:LTS / docker.io

Package

Name
docker.io
Purl
pkg:deb/ubuntu/docker.io@20.10.7-0ubuntu1~18.04.2?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.10.7-0ubuntu1~18.04.2

Affected versions

1.*

1.13.1-0ubuntu6

17.*

17.03.2-0ubuntu1
17.03.2-0ubuntu3
17.03.2-0ubuntu5
17.12.1-0ubuntu1

18.*

18.06.1-0ubuntu1~18.04.1
18.06.1-0ubuntu1.2~18.04.1
18.09.2-0ubuntu1~18.04.1
18.09.5-0ubuntu1~18.04.2
18.09.7-0ubuntu1~18.04.1
18.09.7-0ubuntu1~18.04.3
18.09.7-0ubuntu1~18.04.4

19.*

19.03.6-0ubuntu1~18.04.1
19.03.6-0ubuntu1~18.04.2
19.03.6-0ubuntu1~18.04.3

20.*

20.10.2-0ubuntu1~18.04.2
20.10.2-0ubuntu1~18.04.3
20.10.7-0ubuntu1~18.04.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "20.10.7-0ubuntu1~18.04.2",
            "binary_name": "docker.io"
        },
        {
            "binary_version": "20.10.7-0ubuntu1~18.04.2",
            "binary_name": "golang-docker-dev"
        },
        {
            "binary_version": "20.10.7-0ubuntu1~18.04.2",
            "binary_name": "golang-github-docker-docker-dev"
        },
        {
            "binary_version": "20.10.7-0ubuntu1~18.04.2",
            "binary_name": "vim-syntax-docker"
        }
    ],
    "availability": "No subscription required"
}

Database specific 

{
    "cves_map": {
        "ecosystem": "Ubuntu:18.04:LTS",
        "cves": [
            {
                "id": "CVE-2021-41089",
                "severity": [
                    {
                        "type": "CVSS_V3",
                        "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"
                    },
                    {
                        "type": "CVSS_V3",
                        "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N"
                    },
                    {
                        "type": "Ubuntu",
                        "score": "medium"
                    }
                ]
            }
        ]
    }
}

Ubuntu:20.04:LTS / docker.io

Package

Name
docker.io
Purl
pkg:deb/ubuntu/docker.io@20.10.7-0ubuntu1~20.04.2?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.10.7-0ubuntu1~20.04.2

Affected versions

19.*

19.03.2-0ubuntu1
19.03.6-0ubuntu1
19.03.8-0ubuntu1
19.03.8-0ubuntu1.20.04
19.03.8-0ubuntu1.20.04.1
19.03.8-0ubuntu1.20.04.2

20.*

20.10.2-0ubuntu1~20.04.2
20.10.2-0ubuntu1~20.04.3
20.10.7-0ubuntu1~20.04.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "20.10.7-0ubuntu1~20.04.2",
            "binary_name": "docker.io"
        },
        {
            "binary_version": "20.10.7-0ubuntu1~20.04.2",
            "binary_name": "golang-docker-dev"
        },
        {
            "binary_version": "20.10.7-0ubuntu1~20.04.2",
            "binary_name": "golang-github-docker-docker-dev"
        },
        {
            "binary_version": "20.10.7-0ubuntu1~20.04.2",
            "binary_name": "vim-syntax-docker"
        }
    ],
    "availability": "No subscription required"
}

Database specific 

{
    "cves_map": {
        "ecosystem": "Ubuntu:20.04:LTS",
        "cves": [
            {
                "id": "CVE-2021-41089",
                "severity": [
                    {
                        "type": "CVSS_V3",
                        "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"
                    },
                    {
                        "type": "CVSS_V3",
                        "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N"
                    },
                    {
                        "type": "Ubuntu",
                        "score": "medium"
                    }
                ]
            }
        ]
    }
}