CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20497
https://notcve.org/view.php?id=CVE-2021-20497
IBM Security Verify Access Docker 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 197969 IBM Security Verify Access Docker versión 10.0.0, usa algoritmos criptográficos más débiles de lo esperado que podrían permitir a un atacante descifrar información altamente confidencial. IBM X-Force ID: 197969 • https://exchange.xforce.ibmcloud.com/vulnerabilities/197969 https://www.ibm.com/support/pages/node/6471895 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20496
https://notcve.org/view.php?id=CVE-2021-20496
IBM Security Verify Access Docker 10.0.0 could allow an authenticated user to bypass input due to improper input validation. IBM X-Force ID: 197966. IBM Security Verify Access Docker versión 10.0.0, podría permitir a un usuario autenticado omitir la entrada debido a una comprobación inapropiada de entrada. IBM X-Force ID: 197966 • https://exchange.xforce.ibmcloud.com/vulnerabilities/197966 https://www.ibm.com/support/pages/node/6471895 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 83%CPEs: 1EXPL: 0CVE-2021-27886 – Docker Dashboard Remote Command Execution
https://notcve.org/view.php?id=CVE-2021-27886
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product. rakibtg Docker Dashboard antes del 28 de febrero de 2021, permite la inyección de comandos en el archivo backend/utilities/terminal.js por medio de metacaracteres de shell en el parámetro del comando de una petición de la API. NOTA: este NO es un producto de Docker, Inc Docker Dashboard suffers from a remote command execution vulnerability. The fix is added in commit 79cdc41. • http://packetstormsecurity.com/files/163416/Docker-Dashboard-Remote-Command-Execution.html https://github.com/rakibtg/docker-web-gui/commit/79cdc41809f2030fce21a1109898bd79e4190661 https://github.com/rakibtg/docker-web-gui/issues/23 https://www.docker.com/legal/trademark-guidelines • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-21284 – privilege escalation in Moby
https://notcve.org/view.php?id=CVE-2021-21284
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user. En Docker versiones anteriores a 9.03.15, 20.10.3, se presenta una vulnerabilidad que involucra la opción --userns-remap en la que un acceso a una root reasignada permite una escalada de privilegios a la root actual. Cuando se usa "--userns-remap", si el usuario root en el espacio de nombres reasignado tiene acceso al sistema de archivos del host, puede modificar archivos en "/var/lib/docker/(remapping)" que causa la escritura de archivos con privilegios extendidos. • https://docs.docker.com/engine/release-notes/#20103 https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c https://github.com/moby/moby/releases/tag/v19.03.15 https://github.com/moby/moby/releases/tag/v20.10.3 https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc https://security.gentoo.org/glsa/202107-23 https://security.netapp.com/advisory/ntap-20210226-0005 https://www.debian.org/security/2021/dsa-4865 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-21285 – Docker daemon crash during image pull of malicious image
https://notcve.org/view.php?id=CVE-2021-21285
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. En Docker versiones anteriores a 9.03.15, 20.10.3, se presenta una vulnerabilidad en la que al extraer un manifiesto de imagen de Docker malformado intencionalmente, bloquea al demonio dockerd. Las versiones 20.10.3 y 19.03.15 contienen parches que impiden al demonio bloquearse • https://docs.docker.com/engine/release-notes/#20103 https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30 https://github.com/moby/moby/releases/tag/v19.03.15 https://github.com/moby/moby/releases/tag/v20.10.3 https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8 https://security.gentoo.org/glsa/202107-23 https://security.netapp.com/advisory/ntap-20210226-0005 https://www.debian.org/security/2021/dsa-4865 • CWE-400: Uncontrolled Resource Consumption CWE-754: Improper Check for Unusual or Exceptional Conditions •