containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Fedoraproject
  • Fedora
Linuxfoundation
  • Containerd
Redhat
  • Openstack
  • Service Mesh

Configuration 1 [-]

OR cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat OpenShift Service Mesh 2.4 for RHEL 8
openshift-service-mesh/grafana-rhel8:2.4.4-2 cpe:/a:redhat:service_mesh:2.4::el8 RHSA-2023:5952 2023-10-19T00:00:00Z
openshift-service-mesh/istio-cni-rhel8:2.4.4-5 cpe:/a:redhat:service_mesh:2.4::el8 RHSA-2023:5952 2023-10-19T00:00:00Z
openshift-service-mesh/istio-must-gather-rhel8:2.4.4-3 cpe:/a:redhat:service_mesh:2.4::el8 RHSA-2023:5952 2023-10-19T00:00:00Z
openshift-service-mesh/istio-rhel8-operator:2.4.4-6 cpe:/a:redhat:service_mesh:2.4::el8 RHSA-2023:5952 2023-10-19T00:00:00Z
openshift-service-mesh/kiali-rhel8:1.65.9-4 cpe:/a:redhat:service_mesh:2.4::el8 RHSA-2023:5952 2023-10-19T00:00:00Z
openshift-service-mesh/kiali-rhel8-operator:1.65.9-1 cpe:/a:redhat:service_mesh:2.4::el8 RHSA-2023:5952 2023-10-19T00:00:00Z
openshift-service-mesh/pilot-rhel8:2.4.4-5 cpe:/a:redhat:service_mesh:2.4::el8 RHSA-2023:5952 2023-10-19T00:00:00Z
openshift-service-mesh/proxyv2-rhel8:2.4.4-5 cpe:/a:redhat:service_mesh:2.4::el8 RHSA-2023:5952 2023-10-19T00:00:00Z
openshift-service-mesh/ratelimit-rhel8:2.4.4-2 cpe:/a:redhat:service_mesh:2.4::el8 RHSA-2023:5952 2023-10-19T00:00:00Z
Red Hat OpenStack Platform 16.2
rhosp-rhel8-tech-preview/osp-director-operator:1.2.3-2 cpe:/a:redhat:openstack:16.2::el8 RHSA-2022:2183 2022-05-11T00:00:00Z
References
Link Providers
https://github.com/containerd/containerd/releases/tag/v1.4.8 cve-icon cve-icon
https://github.com/containerd/containerd/releases/tag/v1.5.4 cve-icon cve-icon
https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-32760 cve-icon
https://security.gentoo.org/glsa/202401-31 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-32760 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-07-19T00:00:00

Updated: 2024-08-03T23:33:55.800Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32760

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-07-19T21:15:07.857

Modified: 2024-01-31T13:15:08.313

Link: CVE-2021-32760

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-07-19T00:00:00Z

Links: CVE-2021-32760 - Bugzilla