containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.
History

Tue, 19 Nov 2024 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-07-19T00:00:00

Updated: 2024-11-19T14:27:20.905Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32760

cve-icon Vulnrichment

Updated: 2024-08-03T23:33:55.800Z

cve-icon NVD

Status : Modified

Published: 2021-07-19T21:15:07.857

Modified: 2024-11-21T06:07:41.097

Link: CVE-2021-32760

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-07-19T00:00:00Z

Links: CVE-2021-32760 - Bugzilla