CVE-2020-14370
Last modified
CVE-2020-14370 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. EPSS estimates a 1.40% chance of exploitation in the next 30 days.
Description
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
Metrics
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Podman Project | Podman | < 2.0.5 |
| Redhat | Openshift Container Platform | 4.6 |
| Redhat | Enterprise Linux | 7.0 |
| Redhat | Enterprise Linux | 8.0 |
| Fedoraproject | Fedora | 31 |
| Fedoraproject | Fedora | 32 |
| Fedoraproject | Fedora | 33 |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1874268Issue Tracking, Patch, Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1874268Issue Tracking, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-14370?
How severe is CVE-2020-14370?
How do I fix CVE-2020-14370?
Are you affected by CVE-2020-14370?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST