{"api_version":"1","generated_at":"2026-04-23T05:14:44+00:00","cve":"CVE-2021-32760","urls":{"html":"https://cve.report/CVE-2021-32760","api":"https://cve.report/api/cve/CVE-2021-32760.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-32760","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-32760"},"summary":{"title":"CVE-2021-32760","description":"containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-07-19 21:15:00","updated_at":"2024-01-31 13:15:00"},"problem_types":["CWE-732"],"metrics":[],"references":[{"url":"https://github.com/containerd/containerd/releases/tag/v1.5.4","name":"https://github.com/containerd/containerd/releases/tag/v1.5.4","refsource":"MISC","tags":[],"title":"Release containerd 1.5.4 · containerd/containerd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w","name":"https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w","refsource":"CONFIRM","tags":[],"title":"Archive package allows chmod of file outside of unpack target directory · Advisory · containerd/containerd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/containerd/containerd/releases/tag/v1.4.8","name":"https://github.com/containerd/containerd/releases/tag/v1.4.8","refsource":"MISC","tags":[],"title":"Release containerd 1.4.8 · containerd/containerd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202401-31","name":"GLSA-202401-31","refsource":"","tags":[],"title":"containerd: Multiple Vulnerabilities (GLSA 202401-31) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/","name":"FEDORA-2021-53ce601cb0","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: containerd-1.5.5-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/","name":"FEDORA-2021-53ce601cb0","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: containerd-1.5.5-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-32760","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32760","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"32760","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32760","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-32760","qid":"159320","title":"Oracle Enterprise Linux Security Update for containerd (ELSA-2021-9373)"},{"cve":"CVE-2021-32760","qid":"159382","title":"Oracle Enterprise Linux Security Update for containerd (ELSA-2021-15790)"},{"cve":"CVE-2021-32760","qid":"179858","title":"Debian Security Update for containerd (CVE-2021-32760)"},{"cve":"CVE-2021-32760","qid":"198433","title":"Ubuntu Security Notification for containerd vulnerabilities (USN-5012-1)"},{"cve":"CVE-2021-32760","qid":"281850","title":"Fedora Security Update for containerd (FEDORA-2021-53ce601cb0)"},{"cve":"CVE-2021-32760","qid":"352492","title":"Amazon Linux Security Advisory for containerd: ALAS-2021-1523"},{"cve":"CVE-2021-32760","qid":"353049","title":"Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2021-010"},{"cve":"CVE-2021-32760","qid":"353062","title":"Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2021-010"},{"cve":"CVE-2021-32760","qid":"356890","title":"Amazon Linux Security Advisory for containerd : ALAS2ECS-2023-029"},{"cve":"CVE-2021-32760","qid":"501538","title":"Alpine Linux Security Update for containerd"},{"cve":"CVE-2021-32760","qid":"501828","title":"Alpine Linux Security Update for containerd"},{"cve":"CVE-2021-32760","qid":"504642","title":"Alpine Linux Security Update for containerd"},{"cve":"CVE-2021-32760","qid":"6140358","title":"AWS Bottlerocket Security Update for containerd (GHSA-786q-rjmj-cj3g)"},{"cve":"CVE-2021-32760","qid":"671467","title":"EulerOS Security Update for docker-engine (EulerOS-SA-2022-1424)"},{"cve":"CVE-2021-32760","qid":"671480","title":"EulerOS Security Update for docker-engine (EulerOS-SA-2022-1445)"},{"cve":"CVE-2021-32760","qid":"671504","title":"EulerOS Security Update for docker-engine (EulerOS-SA-2022-1501)"},{"cve":"CVE-2021-32760","qid":"671542","title":"EulerOS Security Update for docker-engine (EulerOS-SA-2022-1482)"},{"cve":"CVE-2021-32760","qid":"671845","title":"EulerOS Security Update for docker-engine (EulerOS-SA-2022-1886)"},{"cve":"CVE-2021-32760","qid":"671881","title":"EulerOS Security Update for docker-engine (EulerOS-SA-2022-1926)"},{"cve":"CVE-2021-32760","qid":"710846","title":"Gentoo Linux containerd Multiple Vulnerabilities (GLSA 202401-31)"},{"cve":"CVE-2021-32760","qid":"750853","title":"OpenSUSE Security Update for containerd (openSUSE-SU-2021:2412-1)"},{"cve":"CVE-2021-32760","qid":"750893","title":"OpenSUSE Security Update for containerd (openSUSE-SU-2021:1081-1)"},{"cve":"CVE-2021-32760","qid":"751272","title":"SUSE Enterprise Linux Security Update for containerd, docker, runc (SUSE-SU-2021:3506-1)"},{"cve":"CVE-2021-32760","qid":"751273","title":"OpenSUSE Security Update for containerd, docker, runc (openSUSE-SU-2021:3506-1)"},{"cve":"CVE-2021-32760","qid":"751303","title":"OpenSUSE Security Update for containerd, docker, runc (openSUSE-SU-2021:1404-1)"},{"cve":"CVE-2021-32760","qid":"900212","title":"CBL-Mariner Linux Security Update for moby-containerd 1.4.4"},{"cve":"CVE-2021-32760","qid":"901088","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (6680-1)"},{"cve":"CVE-2021-32760","qid":"903386","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (4610)"},{"cve":"CVE-2021-32760","qid":"980391","title":"Go (go) Security Update for github.com/containerd/containerd (GHSA-c72p-9xmj-rx3w)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-32760","STATE":"PUBLIC","TITLE":"Archive package allows chmod of file outside of unpack target directory"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"containerd","version":{"version_data":[{"version_value":"<= 1.4.7"},{"version_value":">= 1.5.0, <= 1.5.3"}]}}]},"vendor_name":"containerd"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-668: Exposure of Resource to Wrong Sphere"}]}]},"references":{"reference_data":[{"name":"https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w","refsource":"CONFIRM","url":"https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w"},{"name":"https://github.com/containerd/containerd/releases/tag/v1.4.8","refsource":"MISC","url":"https://github.com/containerd/containerd/releases/tag/v1.4.8"},{"name":"https://github.com/containerd/containerd/releases/tag/v1.5.4","refsource":"MISC","url":"https://github.com/containerd/containerd/releases/tag/v1.5.4"},{"refsource":"FEDORA","name":"FEDORA-2021-53ce601cb0","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/"}]},"source":{"advisory":"GHSA-c72p-9xmj-rx3w","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-07-19 21:15:00","lastModifiedDate":"2024-01-31 13:15:00","problem_types":["CWE-732"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW","baseScore":6.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*","versionStartIncluding":"1.5.0","versionEndExcluding":"1.5.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*","versionEndExcluding":"1.4.8","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"32760","Ordinal":"208148","Title":"CVE-2021-32760","CVE":"CVE-2021-32760","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"32760","Ordinal":"1","NoteData":"containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"32760","Ordinal":"2","NoteData":"2021-07-19","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"32760","Ordinal":"3","NoteData":"2021-08-25","Type":"Other","Title":"Modified"}]}}}