cbcvebase.
CVE-2021-32760
published 2021-07-19

CVE-2021-32760: containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container…

PriorityP336medium6.3CVSS 3.1
AVNACLPRNUIRSUCLILAL
EPSS
1.61%
72.9th percentile
containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

Affected

15 ranges
VendorProductVersion rangeFixed in
containerdcontainerd<= 1.4.7
containerdcontainerd
containerdcontainerd>= 0 < 1.4.5~ds1-21.4.5~ds1-2
containerdcontainerd>= 0 < 1.4.5~ds1-21.4.5~ds1-2
containerdcontainerd>= 0 < 1.4.5~ds1-21.4.5~ds1-2
containerdcontainerd>= 0 < 1.4.5~ds1-21.4.5~ds1-2
containerdcontainerd>= 0 < 1.2.6-0ubuntu1~16.04.6+esm21.2.6-0ubuntu1~16.04.6+esm2
debiancontainerd< containerd 1.4.5~ds1-2 (bookworm)containerd 1.4.5~ds1-2 (bookworm)
fedoraprojectfedora
github.comcontainerd_containerd>= 0 < 1.4.81.4.8
github.comcontainerd_containerd>= 1.5.0 < 1.5.41.5.4
linuxfoundationcontainerd< 1.4.81.4.8
linuxfoundationcontainerd>= 1.5.0 < 1.5.41.5.4
msrccbl2_moby-containerd_1.4.4+azure-4_on_cbl_mariner_2.0
msrccm1_moby-containerd_1.4.4+azure-2_on_cbl_mariner_1.0

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.3MEDIUM
vendor_msrc6.3MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.