x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-v994-f8vw-g7j4

[GoVulnBot]

In GitHub Security Advisory GHSA-v994-f8vw-g7j4, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/docker/docker	20.10.9	< 20.10.9

Cross references:

• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-44gg-pmqr-4669 #625 NOT_IMPORTABLE
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-5qgp-p5jc-w2rm #630 NOT_IMPORTABLE
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-8w94-cf6g-c8mg #636 NOT_IMPORTABLE
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-997c-fj8j-rq5h #640 NOT_IMPORTABLE
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g44j-7vp3-68cv #647 NOT_IMPORTABLE
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-g7v2-2qxx-wjrw #649 NOT_IMPORTABLE
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-qmmc-jppf-32wv #705 NOT_IMPORTABLE
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-wxj3-qwv4-cvfm #752 NOT_IMPORTABLE
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-j249-ghv5-7mxv #2013 NOT_IMPORTABLE
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-jq35-85cj-fj4p #2161 NOT_IMPORTABLE
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/docker/docker: GHSA-mq39-4gv4-mvpx #2659
• Module github.com/docker/docker appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2024-32473 #2737

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/docker/docker
      versions:
        - fixed: 20.10.9+incompatible
      vulnerable_at: 20.10.8+incompatible
      packages:
        - package: github.com/docker/docker
summary: '`docker cp` allows unexpected chmod of host files in Moby Docker Engine in github.com/docker/docker'
cves:
    - CVE-2021-41089
ghsas:
    - GHSA-v994-f8vw-g7j4
references:
    - advisory: https://github.com/advisories/GHSA-v994-f8vw-g7j4
    - advisory: https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-41089
    - fix: https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a
    - web: https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf
    - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB
    - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB
source:
    id: GHSA-v994-f8vw-g7j4
    created: 2024-06-10T20:01:58.346307349Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/592456 mentions this issue: data/reports: add 19 unreviewed reports

[gopherbot]

Change https://go.dev/cl/592457 mentions this issue: data/reports: add 16 unreviewed reports

[gopherbot]

Change https://go.dev/cl/595999 mentions this issue: data/reports: review 7 reports