CVE 2021-21284
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/
Related bugs and status
CVE-2021-21284 (Candidate) is related to these bugs:
Bug #1938908: Backport the container stack in Impish
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1938908 | Backport the container stack in Impish | docker.io (Ubuntu) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | docker.io (Ubuntu Hirsute) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | docker.io (Ubuntu Bionic) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | docker.io (Ubuntu Focal) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | containerd (Ubuntu) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | containerd (Ubuntu Bionic) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | containerd (Ubuntu Focal) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | containerd (Ubuntu Hirsute) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | runc (Ubuntu) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | runc (Ubuntu Bionic) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | runc (Ubuntu Focal) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | runc (Ubuntu Hirsute) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | golang-github-ishidawataru-sctp (Ubuntu) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-ishidawataru-sctp (Ubuntu Bionic) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | golang-github-ishidawataru-sctp (Ubuntu Focal) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-ishidawataru-sctp (Ubuntu Hirsute) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-image (Ubuntu) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-image (Ubuntu Bionic) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-image (Ubuntu Focal) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-image (Ubuntu Hirsute) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | opengcs (Ubuntu) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | opengcs (Ubuntu Bionic) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | opengcs (Ubuntu Focal) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | opengcs (Ubuntu Hirsute) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-storage (Ubuntu) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-storage (Ubuntu Bionic) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-storage (Ubuntu Focal) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-storage (Ubuntu Hirsute) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-common (Ubuntu) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-common (Ubuntu Bionic) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-common (Ubuntu Focal) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-common (Ubuntu Hirsute) | Undecided | Fix Released | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-buildah (Ubuntu) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-buildah (Ubuntu Bionic) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-buildah (Ubuntu Focal) | Undecided | Invalid | ||
| 1938908 | Backport the container stack in Impish | golang-github-containers-buildah (Ubuntu Hirsute) | Undecided | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
