CVE - CVE-2021-41103

CVE-ID
CVE-2021-41103	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf CONFIRM:https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq URL:https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq DEBIAN:DSA-5002 URL:https://www.debian.org/security/2021/dsa-5002 FEDORA:FEDORA-2021-b5a9a481a2 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/ FEDORA:FEDORA-2021-df975338d4 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/ GENTOO:GLSA-202401-31 URL:https://security.gentoo.org/glsa/202401-31 MISC:https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8 URL:https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20210915	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20210915)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)