CVE-2021-32760
published 2021-07-19CVE-2021-32760: containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container…
PriorityP336medium6.3CVSS 3.1
AVNACLPRNUIRSUCLILAL
EPSS
1.61%
72.9th percentile
containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| containerd | containerd | <= 1.4.7 | — |
| containerd | containerd | — | — |
| containerd | containerd | >= 0 < 1.4.5~ds1-2 | 1.4.5~ds1-2 |
| containerd | containerd | >= 0 < 1.4.5~ds1-2 | 1.4.5~ds1-2 |
| containerd | containerd | >= 0 < 1.4.5~ds1-2 | 1.4.5~ds1-2 |
| containerd | containerd | >= 0 < 1.4.5~ds1-2 | 1.4.5~ds1-2 |
| containerd | containerd | >= 0 < 1.2.6-0ubuntu1~16.04.6+esm2 | 1.2.6-0ubuntu1~16.04.6+esm2 |
| debian | containerd | < containerd 1.4.5~ds1-2 (bookworm) | containerd 1.4.5~ds1-2 (bookworm) |
| fedoraproject | fedora | — | — |
| github.com | containerd_containerd | >= 0 < 1.4.8 | 1.4.8 |
| github.com | containerd_containerd | >= 1.5.0 < 1.5.4 | 1.5.4 |
| linuxfoundation | containerd | < 1.4.8 | 1.4.8 |
| linuxfoundation | containerd | >= 1.5.0 < 1.5.4 | 1.5.4 |
| msrc | cbl2_moby-containerd_1.4.4+azure-4_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_moby-containerd_1.4.4+azure-2_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.3MEDIUM
vendor_msrc6.3MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2022-07-15·CVSS 5.0
CVE-2021-32760 [MEDIUM] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd insufficiently restricted permissions on
container root and plugin directories. If a user or automated system were
tricked into launching a specially crafted container image, a remote
attacker could traverse directory contents and modify files and execute
programs on the host file system, possibly leading to privilege escalation.
(CVE-2021-41103)
It was discovered that containerd incorrectly handled file permission
changes. If a user or automated system were tricked into launching a
specially crafted container image, a remote attacker could change
permissions on files on the host file system and possibly escalate
privileges. (CVE-2021-32760)
It was discovered t
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2021-07-20
CVE-2021-32760 containerd vulnerabilities
Title: containerd vulnerabilities
Summary: containerd could be made to overwrite file permissions.
It was discovered that containerd incorrectly handled file permission
changes. If a user or automated system were tricked into launching a
specially crafted container image, a remote attacker could change
permissions on files on the host filesystem and possibly escalate
privileges.
Instructions: After a standard system update you need to restart containerd to make
all the necessary changes.
Red Hat
containerd: pulling and extracting crafted container image may result in Unix file permission changes
vendor_redhat·2021-07-19·CVSS 5.0
CVE-2021-32760 [MEDIUM] CWE-281 containerd: pulling and extracting crafted container image may result in Unix file permission changes
containerd: pulling and extracting crafted container image may result in Unix file permission changes
containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux
Microsoft
Archive package allows chmod of file outside of unpack target directory
vendor_msrc·2021-07-13·CVSS 6.3
CVE-2021-32760 [MEDIUM] CWE-732 Archive package allows chmod of file outside of unpack target directory
Archive package allows chmod of file outside of unpack target directory
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Re
Debian
CVE-2021-32760: containerd - containerd is a container runtime. A bug was found in containerd versions prior ...
vendor_debian·2021·CVSS 5.0
CVE-2021-32760 [MEDIUM] CVE-2021-32760: containerd - containerd is a container runtime. A bug was found in containerd versions prior ...
containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that pr
OSV
Archive package allows chmod of file outside of unpack target directory in github.com/containerd/containerd
osv·2024-08-21
CVE-2021-32760 Archive package allows chmod of file outside of unpack target directory in github.com/containerd/containerd
Archive package allows chmod of file outside of unpack target directory in github.com/containerd/containerd
Archive package allows chmod of file outside of unpack target directory in github.com/containerd/containerd
OSV
containerd vulnerabilities
osv·2022-07-15·CVSS 6.3
CVE-2021-41103 [MEDIUM] containerd vulnerabilities
containerd vulnerabilities
It was discovered that containerd insufficiently restricted permissions on
container root and plugin directories. If a user or automated system were
tricked into launching a specially crafted container image, a remote
attacker could traverse directory contents and modify files and execute
programs on the host file system, possibly leading to privilege escalation.
(CVE-2021-41103)
It was discovered that containerd incorrectly handled file permission
changes. If a user or automated system were tricked into launching a
specially crafted container image, a remote attacker could change
permissions on files on the host file system and possibly escalate
privileges. (CVE-2021-32760)
It was discovered that containerd allows attackers to gain access to read-
only copies
GHSA
Archive package allows chmod of file outside of unpack target directory
ghsa·2021-07-26
CVE-2021-32760 [MEDIUM] CWE-668 Archive package allows chmod of file outside of unpack target directory
Archive package allows chmod of file outside of unpack target directory
## Impact
A bug was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
## Patches
This bug has been fixed in containerd 1.5.4 and 1.4.8. Users should update to these versions as soon as they are released. Running containers do not need to be restarted.
## Workarounds
Ensure you only pull images from trusted sources.
Linux se
OSV
Archive package allows chmod of file outside of unpack target directory
osv·2021-07-26
CVE-2021-32760 [MEDIUM] Archive package allows chmod of file outside of unpack target directory
Archive package allows chmod of file outside of unpack target directory
## Impact
A bug was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
## Patches
This bug has been fixed in containerd 1.5.4 and 1.4.8. Users should update to these versions as soon as they are released. Running containers do not need to be restarted.
## Workarounds
Ensure you only pull images from trusted sources.
Linux se
OSV
CVE-2021-32760: containerd is a container runtime
osv·2021-07-19·CVSS 6.3
CVE-2021-32760 [MEDIUM] CVE-2021-32760: containerd is a container runtime
containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that pr
No detection rules found.
No public exploits indexed.
https://github.com/containerd/containerd/releases/tag/v1.4.8https://github.com/containerd/containerd/releases/tag/v1.5.4https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3whttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/https://security.gentoo.org/glsa/202401-31https://github.com/containerd/containerd/releases/tag/v1.4.8https://github.com/containerd/containerd/releases/tag/v1.5.4https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3whttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/https://security.gentoo.org/glsa/202401-31
2021-07-19
Published