Improper Preservation of Permissions Affecting github.com/containerd/containerd/pkg/cri package, versions >=1.5.0-beta.0 <1.5.9


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.5% (77th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDPKGCRI-2330891
  • published 6 Jan 2022
  • disclosed 6 Jan 2022
  • credit Unknown

How to fix?

Upgrade github.com/containerd/containerd/pkg/cri to version 1.5.9 or higher.

Overview

github.com/containerd/containerd/pkg/cri is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.

Affected versions of this package are vulnerable to Improper Preservation of Permissions. Containers launched through containerd’s CRI implementation on Linux systems which use the SELinux security module and containerd vulnerable version can cause arbitrary files and directories on the host to be relabeled to match the container process label through the use of specially-configured bind mounts in a hostPath volume. This relabeling elevates permissions for the container, granting full read/write access over the affected files and directories

** Note: ** If you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not affected by this issue.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.1 critical
Expand this section

Red Hat

8 high