Vulnerability-Lookup

WID-SEC-W-2022-1002

Vulnerability from csaf_certbund - Published: 2021-12-08 23:00 - Updated: 2023-11-16 23:00

Summary

Amazon Linux 2: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Amazon Linux ist eine Linux Distribition, die für Amazon Clouddienste optimiert ist.

Angriff: Ein lokaler Angreifer kann mehrere Schwachstellen in Amazon Linux 2 ausnutzen, um Informationen offenzulegen, Dateien zu manipulieren oder falsche Informationen darzustellen.

Betroffene Betriebssysteme: - Linux

CVE-2021-21334

Es existiert eine Schwachstelle in Amazon Linux 2 im "containerd CRI plugin". Sie besteht darin, dass Pull-Operationen durch das Plugin dazu führen, dass gleiche Images unterschiedliche Umgebungsvariablen erhalten. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren.

Affected products

Known affected 4 products

Product	Identifier	Version
Amazon Linux 2 plugins Amazon / Linux 2	`cpe:/o:amazon:linux_2:plugins`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon / Linux 2	`cpe:/o:amazon:linux_2:-`	—

CVE-2021-32760

Es existiert eine Schwachstelle in Amazon Linux 2 im "containerd"-plugin. Sie ist auf eine mögliche Änderung von Dateiberechtigungen zurückzuführen. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren.

Affected products

Known affected 4 products

Product	Identifier	Version
Amazon Linux 2 plugins Amazon / Linux 2	`cpe:/o:amazon:linux_2:plugins`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon / Linux 2	`cpe:/o:amazon:linux_2:-`	—

CVE-2021-41190

Es existiert eine Schwachstelle in Amazon Linux 2 in den Plugins "containerd" und "docker". Sie ist auf eine unsichere Deserialisierung zurückzuführen. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um falsche Informationen darzustellen.

Affected products

Known affected 4 products

Product	Identifier	Version
Amazon Linux 2 plugins Amazon / Linux 2	`cpe:/o:amazon:linux_2:plugins`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon / Linux 2	`cpe:/o:amazon:linux_2:-`	—

CVE-2020-15157

Es existiert eine Schwachstelle in Amazon Linux 2. Sie tritt bei einer Pull-Operation eines Containers auf. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen.

Affected products

Known affected 4 products

Product	Identifier	Version
Amazon Linux 2 plugins Amazon / Linux 2	`cpe:/o:amazon:linux_2:plugins`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Amazon Linux 2 Amazon / Linux 2	`cpe:/o:amazon:linux_2:-`	—

References

16 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://alas.aws.amazon.com/AL2/ALASECS-2023-025.html	external
https://alas.aws.amazon.com/AL2/ALASECS-2023-029.html	external
https://alas.aws.amazon.com/AL2/ALASECS-2023-026.html	external
https://alas.aws.amazon.com/AL2/ALASECS-2023-014.html	external
https://alas.aws.amazon.com/AL2/ALASDOCKER-2021-0…	external
https://alas.aws.amazon.com/AL2/ALASDOCKER-2021-0…	external
https://alas.aws.amazon.com/AL2/ALASDOCKER-2021-0…	external
https://alas.aws.amazon.com/AL2/ALASDOCKER-2021-0…	external
https://alas.aws.amazon.com/ALAS-2021-1555.html	external
https://access.redhat.com/errata/RHSA-2022:0687	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2022:1734	external
https://access.redhat.com/errata/RHSA-2022:5069	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Amazon Linux ist eine Linux Distribition, die f\u00fcr Amazon Clouddienste optimiert ist.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann mehrere Schwachstellen in Amazon Linux 2 ausnutzen, um Informationen offenzulegen, Dateien zu manipulieren oder falsche Informationen darzustellen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-1002 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-1002.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-1002 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1002"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALASECS-2023-025 vom 2023-11-17",
        "url": "https://alas.aws.amazon.com/AL2/ALASECS-2023-025.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALASECS-2023-029 vom 2023-11-17",
        "url": "https://alas.aws.amazon.com/AL2/ALASECS-2023-029.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALASECS-2023-026 vom 2023-11-17",
        "url": "https://alas.aws.amazon.com/AL2/ALASECS-2023-026.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALASECS-2023-014 vom 2023-10-20",
        "url": "https://alas.aws.amazon.com/AL2/ALASECS-2023-014.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory  vom 2021-12-08",
        "url": "https://alas.aws.amazon.com/AL2/ALASDOCKER-2021-010.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory  vom 2021-12-08",
        "url": "https://alas.aws.amazon.com/AL2/ALASDOCKER-2021-011.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory  vom 2021-12-08",
        "url": "https://alas.aws.amazon.com/AL2/ALASDOCKER-2021-013.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory  vom 2021-12-08",
        "url": "https://alas.aws.amazon.com/AL2/ALASDOCKER-2021-014.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2021-1555 vom 2022-01-11",
        "url": "https://alas.aws.amazon.com/ALAS-2021-1555.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:0687 vom 2022-03-01",
        "url": "https://access.redhat.com/errata/RHSA-2022:0687"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:23018-1 vom 2022-03-04",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010347.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:1507-1 vom 2022-05-03",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-May/010921.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1734 vom 2022-05-05",
        "url": "https://access.redhat.com/errata/RHSA-2022:1734"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:5069 vom 2022-08-10",
        "url": "https://access.redhat.com/errata/RHSA-2022:5069"
      }
    ],
    "source_lang": "en-US",
    "title": "Amazon Linux 2: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-11-16T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:33:12.859+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2022-1002",
      "initial_release_date": "2021-12-08T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2021-12-08T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-01-11T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2022-02-28T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-03-03T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-05-03T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-05-05T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-08-10T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-10-19T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2023-11-16T23:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Amazon aufgenommen"
        }
      ],
      "status": "final",
      "version": "9"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Amazon Linux 2",
                "product": {
                  "name": "Amazon Linux 2",
                  "product_id": "398363",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:amazon:linux_2:-"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Amazon Linux 2 plugins",
                "product": {
                  "name": "Amazon Linux 2 plugins",
                  "product_id": "T021223",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:amazon:linux_2:plugins"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Linux 2"
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-21334",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Amazon Linux 2 im \"containerd CRI plugin\". Sie besteht darin, dass Pull-Operationen durch das Plugin dazu f\u00fchren, dass gleiche Images unterschiedliche Umgebungsvariablen erhalten. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T021223",
          "T002207",
          "67646",
          "398363"
        ]
      },
      "release_date": "2021-12-08T23:00:00.000+00:00",
      "title": "CVE-2021-21334"
    },
    {
      "cve": "CVE-2021-32760",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Amazon Linux 2 im \"containerd\"-plugin. Sie ist auf eine m\u00f6gliche \u00c4nderung von Dateiberechtigungen zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um Dateien zu manipulieren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T021223",
          "T002207",
          "67646",
          "398363"
        ]
      },
      "release_date": "2021-12-08T23:00:00.000+00:00",
      "title": "CVE-2021-32760"
    },
    {
      "cve": "CVE-2021-41190",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Amazon Linux 2 in den Plugins \"containerd\" und \"docker\". Sie ist auf eine unsichere Deserialisierung zur\u00fcckzuf\u00fchren. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um falsche Informationen darzustellen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T021223",
          "T002207",
          "67646",
          "398363"
        ]
      },
      "release_date": "2021-12-08T23:00:00.000+00:00",
      "title": "CVE-2021-41190"
    },
    {
      "cve": "CVE-2020-15157",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Amazon Linux 2. Sie tritt bei einer Pull-Operation eines Containers auf. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T021223",
          "T002207",
          "67646",
          "398363"
        ]
      },
      "release_date": "2021-12-08T23:00:00.000+00:00",
      "title": "CVE-2020-15157"
    }
  ]
}

CVE-2020-15157 (GCVE-0-2020-15157)

Vulnerability from cvelistv5 – Published: 2020-10-16 16:45 – Updated: 2024-08-04 13:08

Title

containerd can be coerced into leaking credentials during image pull

Summary

In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-522 - Insufficiently Protected Credentials

Assigner

GitHub_M

References

5 references

URL	Tags
https://github.com/containerd/containerd/security…	x_refsource_CONFIRM
https://github.com/containerd/containerd/releases…	x_refsource_MISC
https://usn.ubuntu.com/4589-1/	vendor-advisoryx_refsource_UBUNTU
https://usn.ubuntu.com/4589-2/	vendor-advisoryx_refsource_UBUNTU
https://www.debian.org/security/2021/dsa-4865	vendor-advisoryx_refsource_DEBIAN

Impacted products

1 product

Vendor	Product	Version
containerd	containerd	Affected: < 1.2.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:08:22.310Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/releases/tag/v1.2.14"
          },
          {
            "name": "USN-4589-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4589-1/"
          },
          {
            "name": "USN-4589-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4589-2/"
          },
          {
            "name": "DSA-4865",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4865"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "containerd",
          "vendor": "containerd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a \u201cforeign layer\u201d), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user\u0027s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522 Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-28T11:06:37.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/releases/tag/v1.2.14"
        },
        {
          "name": "USN-4589-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4589-1/"
        },
        {
          "name": "USN-4589-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4589-2/"
        },
        {
          "name": "DSA-4865",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4865"
        }
      ],
      "source": {
        "advisory": "GHSA-742w-89gc-8m9c",
        "discovery": "UNKNOWN"
      },
      "title": "containerd can be coerced into leaking credentials during image pull",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15157",
          "STATE": "PUBLIC",
          "TITLE": "containerd can be coerced into leaking credentials during image pull"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "containerd",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.2.14"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "containerd"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a \u201cforeign layer\u201d), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user\u0027s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-522 Insufficiently Protected Credentials"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c",
              "refsource": "CONFIRM",
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.2.14",
              "refsource": "MISC",
              "url": "https://github.com/containerd/containerd/releases/tag/v1.2.14"
            },
            {
              "name": "USN-4589-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4589-1/"
            },
            {
              "name": "USN-4589-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4589-2/"
            },
            {
              "name": "DSA-4865",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4865"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-742w-89gc-8m9c",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-15157",
    "datePublished": "2020-10-16T16:45:18.000Z",
    "dateReserved": "2020-06-25T00:00:00.000Z",
    "dateUpdated": "2024-08-04T13:08:22.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-21334 (GCVE-0-2021-21334)

Vulnerability from cvelistv5 – Published: 2021-03-10 21:30 – Updated: 2024-08-03 18:09

Title

environment variable leak

Summary

In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.

Severity

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-668 - {"CWE-668":"Exposure of Resource to Wrong Sphere"}

Assigner

GitHub_M

References

8 references

URL	Tags
https://github.com/containerd/containerd/security…	x_refsource_CONFIRM
https://github.com/containerd/containerd/releases…	x_refsource_MISC
https://github.com/containerd/containerd/releases…	x_refsource_MISC
https://github.com/containerd/containerd/commit/0…	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://security.gentoo.org/glsa/202105-33	vendor-advisoryx_refsource_GENTOO

Impacted products

1 product

Vendor	Product	Version
containerd	containerd	Affected: < 1.3.10 Affected: >= 1.4.0, < 1.4.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:15.415Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/releases/tag/v1.4.4"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/releases/tag/v1.3.10"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e"
          },
          {
            "name": "FEDORA-2021-470fa24f5b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/"
          },
          {
            "name": "FEDORA-2021-10ce8fcbf1",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/"
          },
          {
            "name": "FEDORA-2021-f049305892",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/"
          },
          {
            "name": "GLSA-202105-33",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202105-33"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "containerd",
          "vendor": "containerd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.4.0, \u003c 1.4.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd\u0027s CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd\u0027s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "{\"CWE-668\":\"Exposure of Resource to Wrong Sphere\"}",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-26T11:08:46.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/releases/tag/v1.4.4"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/releases/tag/v1.3.10"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e"
        },
        {
          "name": "FEDORA-2021-470fa24f5b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/"
        },
        {
          "name": "FEDORA-2021-10ce8fcbf1",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/"
        },
        {
          "name": "FEDORA-2021-f049305892",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/"
        },
        {
          "name": "GLSA-202105-33",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202105-33"
        }
      ],
      "source": {
        "advisory": "GHSA-6g2q-w5j3-fwh4",
        "discovery": "UNKNOWN"
      },
      "title": "environment variable leak",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21334",
          "STATE": "PUBLIC",
          "TITLE": "environment variable leak"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "containerd",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.3.10"
                          },
                          {
                            "version_value": "\u003e= 1.4.0, \u003c 1.4.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "containerd"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd\u0027s CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd\u0027s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "{\"CWE-668\":\"Exposure of Resource to Wrong Sphere\"}"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4",
              "refsource": "CONFIRM",
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.4.4",
              "refsource": "MISC",
              "url": "https://github.com/containerd/containerd/releases/tag/v1.4.4"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.3.10",
              "refsource": "MISC",
              "url": "https://github.com/containerd/containerd/releases/tag/v1.3.10"
            },
            {
              "name": "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e",
              "refsource": "MISC",
              "url": "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e"
            },
            {
              "name": "FEDORA-2021-470fa24f5b",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/"
            },
            {
              "name": "FEDORA-2021-10ce8fcbf1",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/"
            },
            {
              "name": "FEDORA-2021-f049305892",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/"
            },
            {
              "name": "GLSA-202105-33",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202105-33"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-6g2q-w5j3-fwh4",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21334",
    "datePublished": "2021-03-10T21:30:18.000Z",
    "dateReserved": "2020-12-22T00:00:00.000Z",
    "dateUpdated": "2024-08-03T18:09:15.415Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-32760 (GCVE-0-2021-32760)

Vulnerability from cvelistv5 – Published: 2021-07-19 00:00 – Updated: 2024-11-19 14:27

Title

Archive package allows chmod of file outside of unpack target directory

Summary

containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

Severity

5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-668 - Exposure of Resource to Wrong Sphere

Assigner

GitHub_M

References

5 references

URL	Tags
https://github.com/containerd/containerd/security…
https://github.com/containerd/containerd/releases…
https://github.com/containerd/containerd/releases…
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://security.gentoo.org/glsa/202401-31	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
containerd	containerd	Affected: <= 1.4.7 Affected: >= 1.5.0, <= 1.5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:55.800Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/releases/tag/v1.4.8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/releases/tag/v1.5.4"
          },
          {
            "name": "FEDORA-2021-53ce601cb0",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/"
          },
          {
            "name": "GLSA-202401-31",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202401-31"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-32760",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-19T14:27:11.335304Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-19T14:27:20.905Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "containerd",
          "vendor": "containerd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.5.0, \u003c= 1.5.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host\u2019s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668: Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-31T13:06:23.914Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w"
        },
        {
          "url": "https://github.com/containerd/containerd/releases/tag/v1.4.8"
        },
        {
          "url": "https://github.com/containerd/containerd/releases/tag/v1.5.4"
        },
        {
          "name": "FEDORA-2021-53ce601cb0",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/"
        },
        {
          "name": "GLSA-202401-31",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202401-31"
        }
      ],
      "source": {
        "advisory": "GHSA-c72p-9xmj-rx3w",
        "discovery": "UNKNOWN"
      },
      "title": "Archive package allows chmod of file outside of unpack target directory"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32760",
    "datePublished": "2021-07-19T00:00:00.000Z",
    "dateReserved": "2021-05-12T00:00:00.000Z",
    "dateUpdated": "2024-11-19T14:27:20.905Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-41190 (GCVE-0-2021-41190)

Vulnerability from cvelistv5 – Published: 2021-11-17 19:20 – Updated: 2024-08-04 03:08

Title

Clarify Content-Type handling in OCI spec

Summary

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.

Severity

3 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

CWE

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Assigner

GitHub_M

References

11 references

URL	Tags
https://github.com/opencontainers/distribution-sp…	x_refsource_CONFIRM
https://github.com/opencontainers/distribution-sp…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2021/1…	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Impacted products

1 product

Vendor	Product	Version
opencontainers	distribution-spec	Affected: < 1.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.262Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
          },
          {
            "name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
          },
          {
            "name": "FEDORA-2021-d250fc2622",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
          },
          {
            "name": "FEDORA-2021-6dc68dbe4d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
          },
          {
            "name": "FEDORA-2021-79ba5abef6",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
          },
          {
            "name": "FEDORA-2021-eb2742b148",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
          },
          {
            "name": "FEDORA-2021-3dda301691",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
          },
          {
            "name": "FEDORA-2021-aacef7fa15",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
          },
          {
            "name": "FEDORA-2021-62352983b4",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
          },
          {
            "name": "FEDORA-2021-6789ed60f2",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "distribution-spec",
          "vendor": "opencontainers",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-843",
              "description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-10T02:06:12.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
        },
        {
          "name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
        },
        {
          "name": "FEDORA-2021-d250fc2622",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
        },
        {
          "name": "FEDORA-2021-6dc68dbe4d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
        },
        {
          "name": "FEDORA-2021-79ba5abef6",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
        },
        {
          "name": "FEDORA-2021-eb2742b148",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
        },
        {
          "name": "FEDORA-2021-3dda301691",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
        },
        {
          "name": "FEDORA-2021-aacef7fa15",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
        },
        {
          "name": "FEDORA-2021-62352983b4",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
        },
        {
          "name": "FEDORA-2021-6789ed60f2",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
        }
      ],
      "source": {
        "advisory": "GHSA-mc8v-mgrf-8f4m",
        "discovery": "UNKNOWN"
      },
      "title": "Clarify Content-Type handling in OCI spec",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41190",
          "STATE": "PUBLIC",
          "TITLE": "Clarify Content-Type handling in OCI spec"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "distribution-spec",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "opencontainers"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u201cmanifests\u201d and \u201clayers\u201d fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u201cmanifests\u201d and \u201clayers\u201d fields or \u201cmanifests\u201d and \u201cconfig\u201d fields if they are unable to update to version 1.0.1 of the spec."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m",
              "refsource": "CONFIRM",
              "url": "https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m"
            },
            {
              "name": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923",
              "refsource": "MISC",
              "url": "https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923"
            },
            {
              "name": "[oss-security] 20211119 CVE-2021-41190 OCI distribution and image spec: \"content-type\" confusion",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/19/10"
            },
            {
              "name": "FEDORA-2021-d250fc2622",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/"
            },
            {
              "name": "FEDORA-2021-6dc68dbe4d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/"
            },
            {
              "name": "FEDORA-2021-79ba5abef6",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/"
            },
            {
              "name": "FEDORA-2021-eb2742b148",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/"
            },
            {
              "name": "FEDORA-2021-3dda301691",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/"
            },
            {
              "name": "FEDORA-2021-aacef7fa15",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/"
            },
            {
              "name": "FEDORA-2021-62352983b4",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/"
            },
            {
              "name": "FEDORA-2021-6789ed60f2",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-mc8v-mgrf-8f4m",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41190",
    "datePublished": "2021-11-17T19:20:11.000Z",
    "dateReserved": "2021-09-15T00:00:00.000Z",
    "dateUpdated": "2024-08-04T03:08:31.262Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2022-1002

CVE-2020-15157 (GCVE-0-2020-15157)

CVE-2021-21334 (GCVE-0-2021-21334)

CVE-2021-32760 (GCVE-0-2021-32760)

CVE-2021-41190 (GCVE-0-2021-41190)

Tags

Sightings

Nomenclature