CVE-2021-21285 Docker daemon crash during image pull of malicious image

2021-02-0217:55:16

CWE-400

GitHub_M

www.cve.org

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.9 Medium

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

77.7%

JSON

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

CNA Affected

[
  {
    "product": "moby",
    "vendor": "moby",
    "versions": [
      {
        "status": "affected",
        "version": "< 19.03.15"
      },
      {
        "status": "affected",
        "version": ">= 20.0.0, < 20.10.3"
      }
    ]
  }
]