CVE-2021-41103 — Path Traversal in Containerd

CWE-22 — Path Traversal12 documents8 sources

Severity

7.8HIGHNVD

OSV6.3

EPSS

0.1%

top 75.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Containerd Github.com Containerd Containerd Linuxfoundation Containerd +2 more

Timeline

PublishedOct 4

Latest updateAug 21

Description

containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶NVDlinuxfoundation/containerd1.5.0 — 1.5.7+1

▶CVEListV5containerd/containerd< 1.4.11+1

▶Gogithub.com/containerd_containerd1.5.0 — 1.5.7+1

▶Debiancontainerd/containerd< 1.4.5~ds1-2+deb11u1+3

▶Ubuntucontainerd/containerd< 1.2.6-0ubuntu1~16.04.6+esm2

Also affects: Debian Linux 11.0, Fedora 34, 35

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Insufficiently restricted permissions on plugin directories in github.com/containerd/containerd↗2024-08-21

▶

OSV

containerd vulnerabilities↗2022-07-15

▶

OSV

CVE-2021-41103: containerd is an open source container runtime with an emphasis on simplicity, robustness and portability↗2021-10-04

▶

GHSA

Insufficiently restricted permissions on plugin directories↗2021-10-04

▶

OSV

Insufficiently restricted permissions on plugin directories↗2021-10-04

▶

📋Vendor Advisories

Ubuntu

containerd vulnerabilities↗2022-07-15

▶

Microsoft

Insufficiently restricted permissions on plugin directories↗2021-10-12

▶

Ubuntu

containerd vulnerability↗2021-10-04

▶

Red Hat

containerd: insufficiently restricted permissions on container root and plugin directories↗2021-10-04

▶

Debian

CVE-2021-41103: containerd - containerd is an open source container runtime with an emphasis on simplicity, r...↗2021

▶