CVE-2020-14370

CWE-212 CWE-200 — Information Exposure CWE-312 — Cleartext Storage of Sensitive Info11 documents7 sources

Severity

5.3MEDIUM

EPSS

0.2%

top 60.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Containers/libpod/v2 Github.com Containers/podman/v2 Podman Project Podman +3 more

Timeline

PublishedSep 23

Latest updateJun 4

Description

An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages5 packages

▶Gogithub.com/containers/podman/v2< 2.0.5

▶Gogithub.com/containers/libpod/v2< 2.0.5

▶NVDpodman_project/podman< 2.0.5

▶CVEListV5podmanpodman 1.6.4-32.el7_9, podman versions before 2.0.5+1

▶Debianlibpod< 2.0.6+dfsg1-1+1

Also affects: Openshift Container Platform 4.6, Fedora 31, 32, 33, Enterprise Linux 7.0, 8.0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

Information disclosure in podman in github.com/containers/libpod↗2024-06-04

▶

OSV

Information disclosure in podman↗2024-04-24

▶

GHSA

Information disclosure in podman↗2024-04-24

▶

OSV

CVE-2020-14370: An information disclosure vulnerability was found in containers/podman in versions before 2↗2020-09-23

▶

CVEList

CVE-2020-14370: An information disclosure vulnerability was found in containers/podman in versions before 2↗2020-09-23

▶

📋Vendor Advisories

Red Hat

podman: Security regression of CVE-2020-14370 due to source code management issue↗2022-08-19

▶

Red Hat

podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API↗2020-09-22

▶

Debian

CVE-2020-14370: libpod - An information disclosure vulnerability was found in containers/podman in versio...↗2020

▶

💬Community

Bugzilla

CVE-2020-14370 podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API [fedora-all]↗2020-09-22

▶

Bugzilla

CVE-2020-14370 podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API↗2020-08-31

▶