CVE-2024-25621
containerd - security update
Description
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
How to fix CVE-2024-25621
To remediate CVE-2024-25621, upgrade the affected package to a fixed version below.
- —upgrade to 1.4.13~ds1-1~deb11u6 or later
- —upgrade to 1.6.20~ds1-1+deb12u2 or later
- —upgrade to 1.4.13~ds1-1~deb11u6 or later
- —upgrade to 1.7.29 or later
- —upgrade to 1.7.29 or later
- —upgrade to 2.0.7 or later
- —upgrade to 2.0.7 or later
Is CVE-2024-25621 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (7)
- from 0, < 1.4.13~ds1-1~deb11u6
- from 0, < 1.6.20~ds1-1+deb12u2
- from 0, < 1.4.13~ds1-1~deb11u6
- from 0, < 1.7.29
- from 0, < 1.7.29
- from 0, < 2.0.7, >= 2.1.0-beta.0, < 2.1.5, >= 2.2.0-beta.0, < 2.2.0
- from 0, < 2.0.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |