docker.io: CVE-2021-41092: Docker CLI leaks private registry credentials to registry-1.docker.io

Related Vulnerabilities: CVE-2021-41092  

Debian Bug report logs - #998292
docker.io: CVE-2021-41092: Docker CLI leaks private registry credentials to registry-1.docker.io

version graph

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 1 Nov 2021 20:42:01 UTC

Severity: normal

Tags: security, upstream

Found in version docker.io/20.10.8+dfsg1-2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>:
Bug#998292; Package src:docker.io. (Mon, 01 Nov 2021 20:42:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>. (Mon, 01 Nov 2021 20:42:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: docker.io: CVE-2021-41092: Docker CLI leaks private registry credentials to registry-1.docker.io
Date: Mon, 01 Nov 2021 21:39:10 +0100
Source: docker.io
Version: 20.10.8+dfsg1-2
Severity: normal
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for docker.io.

CVE-2021-41092[0]:
| Docker CLI is the command line interface for the docker container
| runtime. A bug was found in the Docker CLI where running `docker login
| my-private-registry.example.com` with a misconfigured configuration
| file (typically `~/.docker/config.json`) listing a `credsStore` or
| `credHelpers` that could not be executed would result in any provided
| credentials being sent to `registry-1.docker.io` rather than the
| intended private registry. This bug has been fixed in Docker CLI
| 20.10.9. Users should update to this version as soon as possible. For
| users unable to update ensure that any configured credsStore or
| credHelpers entries in the configuration file reference an installed
| credential helper that is executable and on the PATH.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-41092
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41092
[1] https://github.com/docker/cli/security/advisories/GHSA-99pg-grm5-qq3v
[2] https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Nov 2 14:36:55 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.