CVE-2021-32760

Public on 2021-07-19

Modified on 2021-12-01

Description

A flaw was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host's filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.

Severity

Medium

See what this means

CVSS v3 Base Score

5.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	containerd	2021-07-19 17:29	ALAS-2021-1523
Amazon Linux 2 - Docker Extra	containerd	2021-10-19 20:46	ALAS2DOCKER-2021-010
Amazon Linux 2 - Ecs Extra	containerd	2023-11-09 20:27	ALAS2ECS-2023-029
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra	containerd	2021-10-19 20:45	ALAS2NITRO-ENCLAVES-2021-010

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
NVD	CVSSv3	5.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
NVD	CVSSv2	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P

References

Red Hat: CVE-2021-32760 Mitre: CVE-2021-32760 FAQs regarding Amazon Linux ALAS/CVE Severity