CVE-2024-25621

{"id": "CVE-2024-25621", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-11-06T19:15:40.090", "references": [{"url": "https://github.com/containerd/containerd/blob/main/docs/rootless.md", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-279"}]}], "descriptions": [{"lang": "en", "value": "containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode."}], "lastModified": "2025-12-31T02:29:30.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD786582-F4AE-41DD-B61F-BD8AF4FC1A04", "versionEndExcluding": "1.7.29"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07087EDC-9E6A-45D1-B6D2-E7F4016CD46E", "versionEndExcluding": "2.0.7", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E760B42-E25C-4780-85AE-D003D6425700", "versionEndExcluding": "2.1.5", "versionStartIncluding": "2.1.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EEF71FE5-2286-4D94-82DD-7509CE85F1F6"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3290FD7B-0A16-4968-9800-78B947EF213D"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4352A29-4DFC-4EBE-BE0E-97DEB76E5A30"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:rc0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "57685264-6950-4CB9-ACBE-6944EB3B2C1C"}, {"criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D640701-1D0B-41B7-83B0-79592902E6AC"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}