Skip to main content

Containerd CVE-2021-32760

MEDIUM
Exposure of Resource to Wrong Sphere (CWE-668)
2021-07-19 security-advisories@github.com
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
CVE Published
Jul 19, 2021 - 21:15 nvd
MEDIUM 6.3

DescriptionNVD

containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

AnalysisAI

containerd is a container runtime. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Resource to Wrong Sphere (CWE-668), which allows attackers to access resources from an unintended security context. containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files. Affected products include: Linuxfoundation Containerd, Fedoraproject Fedora. Version information: prior to 1.4.8.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement proper access controls, validate resource access permissions, use security boundaries.

CVE-2023-25173 HIGH POC
7.8 Feb 16

containerd is an open source container runtime. Rated high severity (CVSS 7.8), this vulnerability is low attack complex

CVE-2022-23648 HIGH POC
7.5 Mar 03

containerd is a container runtime available as a daemon for Linux and Windows. Rated high severity (CVSS 7.5), this vuln

CVE-2026-53488 CRITICAL
9.4 Jun 19

Host command execution in containerd's CRI plugin arises because labels from an image config (Dockerfile LABEL instructi

CVE-2026-53492 HIGH
8.4 Jun 19

Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding p

CVE-2026-53489 HIGH
8.2 Jun 19

Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via `kub

CVE-2021-41103 HIGH
7.8 Oct 04

containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. Rated high se

CVE-2022-23471 MEDIUM
6.5 Dec 07

containerd is an open source container runtime. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploit

CVE-2021-21334 MEDIUM
6.3 Mar 10

In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through con

CVE-2020-15157 MEDIUM
6.1 Oct 16

In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability

CVE-2026-50195 MEDIUM
5.6 Jun 19

Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrup

CVE-2023-25153 MEDIUM
5.5 Feb 16

containerd is an open source container runtime. Rated medium severity (CVSS 5.5), this vulnerability is no authenticatio

CVE-2022-31030 MEDIUM
5.5 Jun 09

containerd is an open source container runtime. Rated medium severity (CVSS 5.5), this vulnerability is low attack compl

Share

CVE-2021-32760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy