Bug 1191334 (CVE-2021-41092) - VUL-0: CVE-2021-41092: docker: exposed user credentials with a misconfigured configuration file
Summary: VUL-0: CVE-2021-41092: docker: exposed user credentials with a misconfigured ...
Status: RESOLVED FIXED
Alias: CVE-2021-41092
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Containers Team
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/311715/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-41092:5.4:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-05 13:38 UTC by Alexander Bergmann
Modified: 2024-05-23 06:58 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-10-05 13:38:03 UTC 
CVE-2021-41092

Docker CLI is the command line interface for the docker container runtime. A bug
was found in the Docker CLI where running `docker login
my-private-registry.example.com` with a misconfigured configuration file
(typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that
could not be executed would result in any provided credentials being sent to
`registry-1.docker.io` rather than the intended private registry. This bug has
been fixed in Docker CLI 20.10.9. Users should update to this version as soon as
possible. For users unable to update ensure that any configured credsStore or
credHelpers entries in the configuration file reference an installed credential
helper that is executable and on the PATH.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41092
https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b
https://github.com/docker/cli/security/advisories/GHSA-99pg-grm5-qq3v
Comment 1 Swamp Workflow Management 2021-10-12 13:27:20 UTC 
SUSE-SU-2021:3336-1: An update that solves 6 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1102408,1185405,1187704,1188282,1191015,1191121,1191334,1191355,1191434
CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.4.11-16.45.1, docker-20.10.9_ce-98.72.1, runc-1.0.2-16.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 2 Swamp Workflow Management 2021-10-25 13:18:03 UTC 
openSUSE-SU-2021:3506-1: An update that solves 6 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434
CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, docker-kubic-20.10.9_ce-156.1, runc-1.0.2-23.1
Comment 3 Swamp Workflow Management 2021-10-25 13:20:50 UTC 
SUSE-SU-2021:3506-1: An update that solves 6 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434
CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE MicroOS 5.0 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Server for SAP 15 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Server 15-LTSS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Module for Containers 15-SP2 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1
SUSE Enterprise Storage 7 (src):    runc-1.0.2-23.1
SUSE Enterprise Storage 6 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE CaaS Platform 4.0 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2021-10-31 20:41:01 UTC 
openSUSE-SU-2021:1404-1: An update that solves 6 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434
CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    containerd-1.4.11-lp152.2.12.1, docker-20.10.9_ce-lp152.2.18.1, runc-1.0.2-lp152.2.9.1
Comment 8 Swamp Workflow Management 2022-01-27 17:20:23 UTC 
SUSE-SU-2022:0213-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1191015,1191121,1191334,1191434,1193273
CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.4.12-16.49.1, docker-20.10.12_ce-98.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-02-04 14:23:34 UTC 
openSUSE-SU-2022:0334-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1191015,1191121,1191334,1191434,1193273
CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1, docker-kubic-20.10.12_ce-159.1
Comment 10 Swamp Workflow Management 2022-02-04 14:26:19 UTC 
SUSE-SU-2022:0334-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1191015,1191121,1191334,1191434,1193273
CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1
SUSE Linux Enterprise Micro 5.1 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1
SUSE Linux Enterprise Micro 5.0 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Aleksa Sarai 2024-05-23 06:58:31 UTC 
Fixed in 2021.