{"containers": {"cna": {"affected": [{"product": "moby", "vendor": "moby", "versions": [{"status": "affected", "version": "< 19.03.15"}, {"status": "affected", "version": ">= 20.0.0, < 20.10.3"}]}], "descriptions": [{"lang": "en", "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-10T04:06:27", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8"}, {"tags": ["x_refsource_MISC"], "url": "https://docs.docker.com/engine/release-notes/#20103"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/moby/moby/releases/tag/v20.10.3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/moby/moby/releases/tag/v19.03.15"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"}, {"name": "DSA-4865", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4865"}, {"name": "GLSA-202107-23", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202107-23"}], "source": {"advisory": "GHSA-6fj5-m822-rqx8", "discovery": "UNKNOWN"}, "title": "Docker daemon crash during image pull of malicious image", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21285", "STATE": "PUBLIC", "TITLE": "Docker daemon crash during image pull of malicious image"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "moby", "version": {"version_data": [{"version_value": "< 19.03.15"}, {"version_value": ">= 20.0.0, < 20.10.3"}]}}]}, "vendor_name": "moby"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8", "refsource": "CONFIRM", "url": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8"}, {"name": "https://docs.docker.com/engine/release-notes/#20103", "refsource": "MISC", "url": "https://docs.docker.com/engine/release-notes/#20103"}, {"name": "https://github.com/moby/moby/releases/tag/v20.10.3", "refsource": "MISC", "url": "https://github.com/moby/moby/releases/tag/v20.10.3"}, {"name": "https://github.com/moby/moby/releases/tag/v19.03.15", "refsource": "MISC", "url": "https://github.com/moby/moby/releases/tag/v19.03.15"}, {"name": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30", "refsource": "MISC", "url": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30"}, {"name": "https://security.netapp.com/advisory/ntap-20210226-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"}, {"name": "DSA-4865", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4865"}, {"name": "GLSA-202107-23", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202107-23"}]}, "source": {"advisory": "GHSA-6fj5-m822-rqx8", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.012Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.docker.com/engine/release-notes/#20103"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/moby/moby/releases/tag/v20.10.3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/moby/moby/releases/tag/v19.03.15"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"}, {"name": "DSA-4865", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4865"}, {"name": "GLSA-202107-23", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202107-23"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21285", "datePublished": "2021-02-02T17:55:16", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.012Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6B22016-AB78-4E82-9F65-AEC2526F3EDF", "versionEndExcluding": "19.03.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*", "matchCriteriaId": "B4427D14-D219-490B-8467-40FE253775A1", "versionEndExcluding": "20.10.3", "versionStartIncluding": "20.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "7402489D-85E5-4662-BF87-259740DC72F8", "versionEndIncluding": "11.60.3", "versionStartIncluding": "11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing."}, {"lang": "es", "value": "En Docker versiones anteriores a 9.03.15, 20.10.3, se presenta una vulnerabilidad en la que al extraer un manifiesto de imagen de Docker malformado intencionalmente, bloquea al demonio dockerd.&#xa0;Las versiones 20.10.3 y 19.03.15 contienen parches que impiden al demonio bloquearse"}], "id": "CVE-2021-21285", "lastModified": "2022-10-25T12:55:28.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-02-02T18:15:12.203", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.docker.com/engine/release-notes/#20103"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/moby/moby/releases/tag/v19.03.15"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/moby/moby/releases/tag/v20.10.3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202107-23"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210226-0005/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4865"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "docker: daemon crash during image pull of malicious image", "id": "1924742", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1924742"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-354", "details": ["In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.", "A flaw was found in Docker. Pulling an intentionally malformed Docker image manifest could lead to a crash of the `dockerd` daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability."], "name": "CVE-2021-21285", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "docker", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2021-02-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21285\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21285\nhttps://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8"], "threat_severity": "Moderate", "upstream_fix": "docker 19.03.15, docker 20.10.3"}