CVE-2024-25621

EUVD-2024-22942
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
linuxfoundationcontainerd
𝑥
< 1.7.29
linuxfoundationcontainerd
2.0.0 ≤
𝑥
< 2.0.7
linuxfoundationcontainerd
2.1.0 ≤
𝑥
< 2.1.5
linuxfoundationcontainerd
2.2.0:beta0
linuxfoundationcontainerd
2.2.0:beta1
linuxfoundationcontainerd
2.2.0:beta2
linuxfoundationcontainerd
2.2.0:rc0
linuxfoundationcontainerd
2.2.0:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
containerd
bookworm
vulnerable
bookworm (security)
1.6.20~ds1-1+deb12u2
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
forky
1.7.24~ds1-10
fixed
sid
1.7.24~ds1-10
fixed
trixie
vulnerable
trixie (security)
1.7.24~ds1-6+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
containerd
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
needs-triage
questing
needs-triage
xenial
needs-triage
containerd-app
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
needs-triage
questing
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
containerd
suse enterprise sap 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP6
1.7.29-150000.128.1
fixed
suse enterprise server 12 SP5
1.7.29-16.105.1
fixed
suse enterprise server 15 SP2
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP3
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP6
1.7.29-150000.128.1
fixed
containerd-ctr
suse enterprise sap 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP6
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP7
1.7.29-150000.128.1
fixed
suse enterprise server 12 SP5
1.7.29-16.105.1
fixed
suse enterprise server 15 SP2
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP3
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP6
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP7
1.7.29-150000.128.1
fixed
containerd-devel
suse enterprise sap 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP6
1.7.29-150000.128.1
fixed
suse enterprise sap 15 SP7
1.7.29-150000.128.1
fixed
suse enterprise server 12 SP5
1.7.29-16.105.1
fixed
suse enterprise server 15 SP4
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP5
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP6
1.7.29-150000.128.1
fixed
suse enterprise server 15 SP7
1.7.29-150000.128.1
fixed
Common Weakness Enumeration
References
https://github.com/containerd/containerd/blob/main/docs/rootless.md
https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5
https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w