CVE-2021-32760

Public on 2021-07-19
Modified on 2021-12-01
Description
A flaw was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host's filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
Severity
Medium
CVSS v3 Base Score
5.5
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 containerd 2021-10-19 20:46 ALAS2DOCKER-2021-010
Amazon Linux 2 containerd 2021-10-19 20:45 ALAS2NITRO-ENCLAVES-2021-010
Amazon Linux 1 containerd 2021-07-19 17:29 ALAS-2021-1523

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
NVD CVSSv2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
NVD CVSSv3 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L