Описание
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
An information disclosure flaw was found in containers/podman. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container leak into subsequent containers. This flaw allows an attacker who controls the subsequent containers to gain access to sensitive information stored in such variables. The highest threat from this vulnerability is to confidentiality.
Отчет
Whilst OpenShift Container Platform (OCP) does include podman, the Varlink API is not enabled by default. However, as it is trivial to activate this feature, OCP has been marked as affected. OCP 3.11 has previously packaged podman, but instead now relies on the version from rhel-extra.The older version previously packaged is not vulnerable to this CVE and hence has been marked not affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | container-tools:1.0/podman | Not affected | ||
| Red Hat Enterprise Linux 8 | container-tools:2.0/podman | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | podman | Not affected | ||
| Red Hat Enterprise Linux 7 Extras | podman | Fixed | RHSA-2020:5056 | 10.11.2020 |
| Red Hat Enterprise Linux 8 | container-tools | Fixed | RHSA-2021:0531 | 16.02.2021 |
| Red Hat OpenShift Container Platform 4.6 | podman | Fixed | RHSA-2020:4297 | 27.10.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
An information disclosure vulnerability was found in containers/podman ...
EPSS
5.3 Medium
CVSS3