CVE-2021-27886 – CVE-2021-27886 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-27886?

CVE-2021-27886 has a CVSS score of 9.8 (CRITICAL). CVE-2021-27886 is a command injection vulnerability in rakibtg Docker Dashboard that allows attackers to execute arbitrary commands on the host system by injecting shell metacharacters in API requests. This affects users of the third-party Docker Dashboard web interface before February 28, 2021. Note this is not an official Docker, Inc. product.

📋 TL;DR

CVE-2021-27886 is a command injection vulnerability in rakibtg Docker Dashboard that allows attackers to execute arbitrary commands on the host system by injecting shell metacharacters in API requests. This affects users of the third-party Docker Dashboard web interface before February 28, 2021. Note this is not an official Docker, Inc. product.

💻 Affected Systems

Products:

rakibtg Docker Dashboard

Versions: All versions before 2021-02-28

Operating Systems: All platforms running Docker Dashboard

Default Config Vulnerable: ⚠️ Yes

Notes: This is a third-party Docker management interface, not an official Docker product. The vulnerability exists in the terminal.js utility component.

📦 What is this software?

Docker Dashboard by Docker Dashboard Project

View all CVEs affecting Docker Dashboard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the host system, allowing attackers to execute arbitrary commands with the privileges of the Docker Dashboard process, potentially leading to full system takeover, data exfiltration, or lateral movement.

🟠

Likely Case

Remote code execution leading to container escape, privilege escalation, and unauthorized access to the underlying host system and other containers.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege principles, and input validation are implemented, though the vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the Docker Dashboard API endpoint. Public exploit code is available in Packet Storm Security references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 79cdc41809f2030fce21a1109898bd79e4190661 and later

Vendor Advisory: https://github.com/rakibtg/docker-web-gui/commit/79cdc41809f2030fce21a1109898bd79e4190661

Restart Required: Yes

Instructions:

1. Update to the latest version of Docker Dashboard from the official GitHub repository. 2. Apply the security patch from commit 79cdc41809f2030fce21a1109898bd79e4190661. 3. Restart the Docker Dashboard service.

🔧 Temporary Workarounds

Disable Terminal API Endpoint

all

Temporarily disable the vulnerable terminal.js API endpoint until patching is possible

Modify backend/utilities/terminal.js to remove or disable command execution functionality

Network Access Control

linux

Restrict network access to Docker Dashboard to trusted IP addresses only

iptables -A INPUT -p tcp --dport [DASHBOARD_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [DASHBOARD_PORT] -j DROP

🧯 If You Can't Patch

Immediately isolate the Docker Dashboard instance from production networks and internet access
Implement strict network segmentation and firewall rules to limit access to authorized users only

🔍 How to Verify

Check if Vulnerable:

Check if Docker Dashboard version is older than the February 28, 2021 patch. Review the terminal.js file for proper input sanitization of the command parameter.

Check Version:

Check the Docker Dashboard version in the application interface or review the git commit history

Verify Fix Applied:

Verify that commit 79cdc41809f2030fce21a1109898bd79e4190661 is applied in your installation. Test that shell metacharacters in API requests no longer execute arbitrary commands.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in Docker Dashboard logs
API requests containing shell metacharacters (;, &, |, $, etc.) to terminal endpoints
Unexpected process creation from the Docker Dashboard service

Network Indicators:

Unusual outbound connections from the Docker Dashboard host
Traffic to terminal-related API endpoints from unauthorized sources

SIEM Query:

source="docker-dashboard" AND (command="*;*" OR command="*&*" OR command="*|*" OR command="*$*" OR command="*`*")

📊 Metadata

CVE ID: CVE-2021-27886

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 2, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163416/Docker-Dashboard-Remote-Command-Execution.html Third Party Advisory,VDB Entry
https://github.com/rakibtg/docker-web-gui/commit/79cdc41809f2030fce21a1109898bd79e4190661 Patch,Third Party Advisory
https://github.com/rakibtg/docker-web-gui/issues/23 Third Party Advisory
https://www.docker.com/legal/trademark-guidelines Third Party Advisory
http://packetstormsecurity.com/files/163416/Docker-Dashboard-Remote-Command-Execution.html Third Party Advisory,VDB Entry
https://github.com/rakibtg/docker-web-gui/commit/79cdc41809f2030fce21a1109898bd79e4190661 Patch,Third Party Advisory
https://github.com/rakibtg/docker-web-gui/issues/23 Third Party Advisory
https://www.docker.com/legal/trademark-guidelines Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27886, you might also want to check these: