CVE-2021-32760
Public on 2021-07-19
Modified on 2021-12-01
Description
A flaw was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | containerd | 2021-07-19 | ALAS-2021-1523 | Fixed |
| Amazon Linux 2 - Docker Extra | containerd | 2021-10-19 | ALAS2DOCKER-2021-010 | Fixed |
| Amazon Linux 2 - Ecs Extra | containerd | 2023-11-09 | ALAS2ECS-2023-029 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2021-10-19 | ALAS2NITRO-ENCLAVES-2021-010 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
| NVD | CVSSv3 | 5.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L |
| NVD | CVSSv2 | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |