x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2021-21285

[tatianab]

CVE-2021-21285 references github.com/moby/moby, which may be a Go module.

Description:
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-21285
• advisory: GHSA-6fj5-m822-rqx8
• web: https://docs.docker.com/engine/release-notes/#20103
• web: https://github.com/moby/moby/releases/tag/v20.10.3
• web: https://github.com/moby/moby/releases/tag/v19.03.15
• fix: moby/moby@8d31795
• web: https://security.netapp.com/advisory/ntap-20210226-0005/
• web: https://www.debian.org/security/2021/dsa-4865
• web: https://security.gentoo.org/glsa/202107-23
• Imported by: https://pkg.go.dev/github.com/moby/moby?tab=importedby

Cross references:

• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-24769 #390 EFFECTIVELY_PRIVATE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-8fvr-5rqf-3wwh #638 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-v4h8-794j-g8mm #708 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vj3f-3286-r4pf #751 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2022-36109 #985 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vp35-85q5-9f25 #1107 NOT_IMPORTABLE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28840 #1699 EFFECTIVELY_PRIVATE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28841 #1700 EFFECTIVELY_PRIVATE
• Module github.com/moby/moby appears in issue x/vulndb: potential Go vuln in github.com/moby/moby: CVE-2023-28842 #1701 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/moby/moby
      vulnerable_at: 24.0.7+incompatible
      packages:
        - package: moby
cves:
    - CVE-2021-21285
references:
    - advisory: https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8
    - web: https://docs.docker.com/engine/release-notes/#20103
    - web: https://github.com/moby/moby/releases/tag/v20.10.3
    - web: https://github.com/moby/moby/releases/tag/v19.03.15
    - fix: https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30
    - web: https://security.netapp.com/advisory/ntap-20210226-0005/
    - web: https://www.debian.org/security/2021/dsa-4865
    - web: https://security.gentoo.org/glsa/202107-23

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports