Home > Vulnerability Database > CVE-2021-32760

Mend.io Vulnerability Database

CVE-2021-32760

Good to know:

Date: July 18, 2021

containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

Language: Go

Severity Score

5.0

Related Resources (12)

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/

Url: https://github.com/containerd/containerd

Url: https://github.com/containerd/containerd/commit/22e9a70c71eff6507be71955947a611f2ed91e6c

Url: https://github.com/containerd/containerd/releases/tag/v1.4.8

Url: https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-32760

Url: https://github.com/containerd/containerd/releases/tag/v1.5.4

Url: https://security.gentoo.org/glsa/202401-31

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3

Url: https://github.com/containerd/containerd/commit/7ad08c69e09ee4930a48dbf2aab3cd612458617f

Url: https://www.mend.io/vulnerability-database/CVE-2021-32760

Severity Score

5.0

Weakness Type (CWE)

Exposure of Resource to Wrong Sphere

CWE-668

Incorrect Permission Assignment for Critical Resource

CWE-732

Top Fix

Upgrade Version

Upgrade to version v1.4.8 ,v1.5.4

Learn More

CVSS v3.1

Base Score:	5.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-32760

Good to know:

Date: July 18, 2021

Language: Go

Severity Score

Related Resources (12)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?