5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32760

GHSA ID

GHSA-c72p-9xmj-rx3w

EPSS Score

0.35127%

CWE

CWE-668

Published

7/26/2021

Updated

1/31/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32760

CVE-2021-32760: Archive package allows chmod of file outside of unpack target directory

Impact

A bug was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.

Patches

This bug has been fixed in containerd 1.5.4 and 1.4.8. Users should update to these versions as soon as they are released. Running containers do not need to be restarted.

Workarounds

Ensure you only pull images from trusted sources.

Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with unexpected files.

For more information

If you have any questions or comments about this advisory:

Open an issue
Email us at security@containerd.io if you think you’ve found a security bug.

(GitHub Advisory)

5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32760

GHSA ID

GHSA-c72p-9xmj-rx3w

EPSS Score

0.35127%

CWE

CWE-668

Published

7/26/2021

Updated

1/31/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/containerd/containerd	go	< 1.4.8	1.4.8
github.com/containerd/containerd	go	>= 1.5.0, < 1.5.4	1.5.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how symlink handling was implemented in handleLChmod. The pre-patch code used os.Lstat(hdr.Linkname) to check if the target was a symlink before applying chmod. This allowed attackers to reference host files via symlinks in crafted images. The patch changes this to os.Lstat(path), ensuring permissions are only modified on the extracted symlink file itself, not its external target. The added test case 'HardlinkSymlinkChmod' in tar_test.go directly validates this fix by ensuring permissions on a file referenced via symlink outside the extraction root remain unchanged.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Imp**t * *u* w*s *oun* in *ont*in*r* w**r* pullin* *n* *xtr**tin* * sp**i*lly-*r**t** *ont*in*r im*** **n r*sult in Unix *il* p*rmission ***n**s *or *xistin* *il*s in t** *ost’s *il*syst*m. ***n**s to *il* p*rmissions **n **ny ****ss to t** *xp*

Reasoning

T** vuln*r**ility st*ms *rom *ow symlink **n*lin* w*s impl*m*nt** in **n*l*L**mo*. T** pr*-p*t** *o** us** `os.Lst*t(**r.Linkn*m*)` to ****k i* t** t*r**t w*s * symlink ***or* *pplyin* `**mo*`. T*is *llow** *tt**k*rs to r***r*n** *ost *il*s vi* symli

5

Basic Information

Concerned about an active attack path?

CVE-2021-32760: Archive package allows chmod of file outside of unpack target directory

Impact

Patches

Workarounds

For more information

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI