linuxfoundation containerd CVE-2021-32760 in Linux Foundation and Fedora Project Products
Published on July 19, 2021

Archive package allows chmod of file outside of unpack target directory

product logo product logo
containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the hosts filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

Github Repository Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2021-32760 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.


Products Associated with CVE-2021-32760

stack.watch emails you whenever new vulnerabilities are published in Linux Foundation Containerd or Fedora Project Fedora. Just hit a watch button to start following.

Linux Foundation Containerd
 
Fedora Project Fedora
 

Affected Versions

containerd:

Exploit Probability

EPSS
0.07%
Percentile
21.67%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.