CVE-2021-20199

Published: Feb 2, 2021Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.

Affected (1)

Products: Podman Project: Podman

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Podman Project Podman	From 1.8.0 to 3.0.0

Related CWEs

Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

References (8)

https://bugzilla.redhat.com/show_bug.cgi?id=1919050

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://github.com/containers/podman/issues/5138

Source: secalert@redhat.com

ExploitThird Party Advisory

https://github.com/containers/podman/pull/9052

Source: secalert@redhat.com

PatchThird Party Advisory

https://github.com/rootless-containers/rootlesskit/pull/206

Source: secalert@redhat.com

PatchThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1919050

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://github.com/containers/podman/issues/5138

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/containers/podman/pull/9052

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/rootless-containers/rootlesskit/pull/206

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.