CVE-2021-21285

MEDIUM severity · CVSS 6.5 · Uncontrolled resource consumption

6.5CVSS MEDIUM

Summary

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionRequired

Confidentiality impactNone

Integrity impactNone

Availability impactHigh

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected products we track (1)

Docker Engine

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30 ↗

Additional information

NVD record
https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30Patch
https://security.gentoo.org/glsa/202107-23Patch
https://docs.docker.com/engine/release-notes/#20103Advisory
https://github.com/moby/moby/releases/tag/v19.03.15Advisory
https://github.com/moby/moby/releases/tag/v20.10.3Advisory
https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8Advisory
https://security.netapp.com/advisory/ntap-20210226-0005/Advisory
https://www.debian.org/security/2021/dsa-4865Advisory