cbcvebase.
CVE-2021-21334
published 2021-03-10

CVE-2021-21334: In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through…

PriorityP337medium6.3CVSS 3.1
AVNACHPRLUINSCCHINAN
EPSS
2.04%
78.8th percentile
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.

Affected

17 ranges
VendorProductVersion rangeFixed in
containerdcontainerd< 1.3.101.3.10
containerdcontainerd
containerdcontainerd>= 0 < 1.4.4~ds1-11.4.4~ds1-1
containerdcontainerd>= 0 < 1.4.4~ds1-11.4.4~ds1-1
containerdcontainerd>= 0 < 1.4.4~ds1-11.4.4~ds1-1
containerdcontainerd>= 0 < 1.4.4~ds1-11.4.4~ds1-1
debiancontainerd< containerd 1.4.4~ds1-1 (bookworm)containerd 1.4.4~ds1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
github.comcontainerd_containerd>= 0 < 1.3.101.3.10
github.comcontainerd_containerd>= 1.4.0 < 1.4.41.4.4
linuxfoundationcontainerd< 1.3.101.3.10
linuxfoundationcontainerd>= 1.4.0 < 1.4.41.4.4
msrcazl3_kata-containers_3.15.0.aks0-1_on_azure_linux_3.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_moby-containerd_1.4.4+azure-2_on_cbl_mariner_1.0

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv6.3MEDIUM
vendor_debian6.3MEDIUM
vendor_msrc6.3MEDIUM
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.