CVE-2021-32760

Public on 2021-07-19
Modified on 2021-12-01
Description
A flaw was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
Severity
Medium severity
Medium
CVSS v3 Base Score
5.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 containerd 2021-07-19 ALAS-2021-1523 Fixed
Amazon Linux 2 - Docker Extra containerd 2021-10-19 ALAS2DOCKER-2021-010 Fixed
Amazon Linux 2 - Ecs Extra containerd 2023-11-09 ALAS2ECS-2023-029 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra containerd 2021-10-19 ALAS2NITRO-ENCLAVES-2021-010 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
NVD CVSSv3 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
NVD CVSSv2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P