CVE-2021-41103

containerd is an open source container runtime with an emphasis on
simplicity, robustness and portability. A bug was found in containerd where
container root directories and some plugins had insufficiently restricted
permissions, allowing otherwise unprivileged Linux users to traverse
directory contents and execute programs. When containers included
executable programs with extended permission bits (such as setuid),
unprivileged Linux users could discover and execute those programs. When
the UID of an unprivileged Linux user on the host collided with the file
owner or group inside a container, the unprivileged Linux user on the host
could discover, read, and modify those files. This vulnerability has been
fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to
these version when they are released and may restart containers or update
directory permissions to mitigate the vulnerability. Users unable to update
should limit access to the host to trusted users. Update directory
permission on container bundles directories.