{"api_version":"1","generated_at":"2026-05-13T03:12:01+00:00","cve":"CVE-2021-43816","urls":{"html":"https://cve.report/CVE-2021-43816","api":"https://cve.report/api/cve/CVE-2021-43816.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-43816","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-43816"},"summary":{"title":"CVE-2021-43816","description":"containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-01-05 19:15:00","updated_at":"2023-11-07 03:39:00"},"problem_types":["CWE-281"],"metrics":[],"references":[{"url":"https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299","name":"https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299","refsource":"MISC","tags":[],"title":"Revert \"[cri] label etc files for selinux containers\" · dweomer/containerd@f7f08f0 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/containerd/containerd/issues/6194","name":"https://github.com/containerd/containerd/issues/6194","refsource":"MISC","tags":[],"title":"cri + selinux: /etc/hosts from hostPath mount getting relabeled · Issue #6194 · containerd/containerd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/","name":"FEDORA-2022-a0b2a4d594","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: containerd-1.6.0~rc.2-2.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/","name":"FEDORA-2022-a0b2a4d594","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: containerd-1.6.0~rc.2-2.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/","name":"FEDORA-2022-f668c3d70d","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: containerd-1.6.0~rc.2-3.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea","name":"https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea","refsource":"MISC","tags":[],"title":"[cri] label etc files for selinux containers · containerd/containerd@a731039 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c","name":"https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c","refsource":"CONFIRM","tags":[],"title":"containerd CRI plugin: Unprivileged pod using `hostPath` can side-step SELinux · Advisory · containerd/containerd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/","name":"FEDORA-2022-f668c3d70d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: containerd-1.6.0~rc.2-3.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-43816","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43816","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"1.5.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"1.5.0","cpe7":"beta0","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"1.5.0","cpe7":"beta1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"1.5.0","cpe7":"beta2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"1.5.0","cpe7":"beta3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"1.5.0","cpe7":"beta4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"1.5.0","cpe7":"rc0","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"1.5.0","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"1.5.0","cpe7":"rc2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43816","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"1.5.0","cpe7":"rc3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-43816","qid":"182587","title":"Debian Security Update for containerd (CVE-2021-43816)"},{"cve":"CVE-2021-43816","qid":"282386","title":"Fedora Security Update for containerd (FEDORA-2022-a0b2a4d594)"},{"cve":"CVE-2021-43816","qid":"282387","title":"Fedora Security Update for containerd (FEDORA-2022-f668c3d70d)"},{"cve":"CVE-2021-43816","qid":"502050","title":"Alpine Linux Security Update for containerd"},{"cve":"CVE-2021-43816","qid":"504645","title":"Alpine Linux Security Update for containerd"},{"cve":"CVE-2021-43816","qid":"6140264","title":"AWS Bottlerocket Security Update for containerd (GHSA-x6g3-r23m-qfv9)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-43816","STATE":"PUBLIC","TITLE":"Improper Preservation of Permissions in containerd"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"containerd","version":{"version_data":[{"version_value":">= 1.5.0, < 1.5.9"}]}}]},"vendor_name":"containerd"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-281: Improper Preservation of Permissions"}]}]},"references":{"reference_data":[{"name":"https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c","refsource":"CONFIRM","url":"https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c"},{"name":"https://github.com/containerd/containerd/issues/6194","refsource":"MISC","url":"https://github.com/containerd/containerd/issues/6194"},{"name":"https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea","refsource":"MISC","url":"https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea"},{"name":"https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299","refsource":"MISC","url":"https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299"},{"refsource":"FEDORA","name":"FEDORA-2022-f668c3d70d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/"},{"refsource":"FEDORA","name":"FEDORA-2022-a0b2a4d594","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/"}]},"source":{"advisory":"GHSA-mvff-h3cj-wj9c","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-01-05 19:15:00","lastModifiedDate":"2023-11-07 03:39:00","problem_types":["CWE-281"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL"},"exploitabilityScore":2.3,"impactScore":6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6},"severity":"MEDIUM","exploitabilityScore":6.8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:1.5.0:-:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta0:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta2:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta3:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta4:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc0:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc2:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc3:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*","versionStartIncluding":"1.5.1","versionEndExcluding":"1.5.9","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"43816","Ordinal":"221300","Title":"CVE-2021-43816","CVE":"CVE-2021-43816","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"43816","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}