CVE-2021-41089: 
Docker vulnerability analysis and mitigation

A bug was discovered in Moby (Docker Engine) where using the docker cp command to copy files into a specially-crafted container could result in unexpected Unix file permission changes for existing files in the host's filesystem. The vulnerability, identified as CVE-2021-41089, was discovered by Lei Wang and Ruizhi Xiao and disclosed on October 4, 2021. The vulnerability affects Docker Engine versions prior to 20.10.9 (GitHub Advisory, NVD).

The vulnerability allows file permissions to be modified in a way that widens access to others on the host's filesystem when using the docker cp command with a specially-crafted container. The issue specifically relates to how the Docker Engine handles file permissions during copy operations. The vulnerability has a CVSS v3.1 score of 6.3 (Medium), with attack vector being Local, attack complexity Low, and privileges required Low (Ubuntu Security).

While the vulnerability could result in widened access permissions to files on the host system, it does not directly allow files to be read, modified, or executed without an additional cooperating process. The primary impact is the potential exposure of sensitive information through permission changes (GitHub Advisory).

The vulnerability was fixed in Moby (Docker Engine) version 20.10.9. Users are advised to update to this version as soon as possible. Running containers do not need to be restarted after the update. As a workaround before updating, users should ensure they only run trusted containers (GitHub Advisory, Fedora Update).