Vulnerability Description
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Containerd | < 1.7.29 |
Related Weaknesses (CWE)
References
- https://github.com/containerd/containerd/blob/main/docs/rootless.mdProduct
- https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655cPatch
- https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8wPatchVendor Advisory
FAQ
What is CVE-2024-25621?
CVE-2024-25621 is a vulnerability with a CVSS score of 7.3 (HIGH). containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default p...
How severe is CVE-2024-25621?
CVE-2024-25621 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-25621?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Containerd.