PT-2020-13983 · Containers+6 · Podman+6

Guilherme De Almeida Suckevicz

Published

2020-09-10

Updated

2024-06-15

CVE-2020-14370

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions containers/podman versions prior to 2.0.5

Description An information disclosure issue was found in containers/podman. When using the deprecated Varlink API or the Docker-compatible REST API, environment variables from the first container can be leaked into subsequent containers created in a short duration. This could allow an attacker with control over subsequent containers to access sensitive information stored in such variables.

Recommendations For versions prior to 2.0.5, update to version 2.0.5 or later to resolve the issue. As a temporary workaround, consider restricting the creation of multiple containers in a short duration to minimize the risk of exploitation. Avoid using the deprecated Varlink API or the Docker-compatible REST API for creating containers until the issue is resolved.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-212

Related Identifiers

ALSA-2021:0531

ALT-PU-2020-2753

ALT-PU-2020-2863

ALT-PU-2022-1252

CESA-2021_0531

CVE-2020-14370

GHSA-C3WV-QMJJ-45R6

GO-2024-2766

OPENSUSE-SU-2020:2039-1

OPENSUSE-SU-2020:2063-1

OPENSUSE-SU-2020_2039-1

OPENSUSE-SU-2020_2063-1

OPENSUSE-SU-2022:23018-1

OPENSUSE-SU-2022_23018-1

OPENSUSE-SU-2024:11177-1

OPENSUSE-SU-2024:11757-1

RHSA-2020:4297

RHSA-2020:5056

RHSA-2021:0531

RHSA-2021_0531

RLSA-2021:0531

SUSE-SU-2020:3378-1

SUSE-SU-2020_3378-1

SUSE-SU-2022:23018-1

SUSE-SU-2022:3312-1

Affected Products

Alt Linux

Almalinux

Centos

Red Hat

Rocky Linux

Suse

Podman

PT-2020-13983 · Containers+6 · Podman+6

CVE-2020-14370

Weakness Enumeration

Related Identifiers

Affected Products

References · 81