Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-32760

containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

Published

2021-07-19T21:15:07.857

Last Modified

2024-11-21T06:07:41.097

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.0 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-668
Type: Primary
CWE-732

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	linuxfoundation	containerd	< 1.4.8	Yes
Application	linuxfoundation	containerd	< 1.5.4	Yes
Operating System	fedoraproject	fedora	34	Yes

References

https://github.com/containerd/containerd/releases/tag/v1.4.8 Release Notes, Third Party Advisory ([email protected])
https://github.com/containerd/containerd/releases/tag/v1.5.4 Release Notes, Third Party Advisory ([email protected])
https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/ ([email protected])
https://security.gentoo.org/glsa/202401-31 ([email protected])
https://github.com/containerd/containerd/releases/tag/v1.4.8 Release Notes, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/containerd/containerd/releases/tag/v1.5.4 Release Notes, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202401-31 (af854a3a-2127-422b-91ae-364da2661108)