CVE-2021-20199 — Origin Validation Error in Containers Podman V3

CWE-346 — Origin Validation Error CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 48.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libpod Project Libpod Github.com Containers Podman V3 Podman Project Podman

Timeline

PublishedFeb 2

Latest updateMay 18

Description

Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶Gogithub.com/containers_podman_v3< 3.0.0

▶NVDpodman_project/podman1.8.0 — 3.0.0

▶CVEListV5podman_project/podmanpodman 1.8.0 onwards

▶Debianlibpod_project/libpod< 3.0.0~rc2+dfsg1-2+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Podman Origin Validation Error↗2021-05-18

▶

OSV

Podman Origin Validation Error↗2021-05-18

▶

CVEList

CVE-2021-20199: Rootless containers run with Podman, receive all traffic with a source IP address of 127↗2021-02-02

▶

OSV

CVE-2021-20199: Rootless containers run with Podman, receive all traffic with a source IP address of 127↗2021-02-02

▶

📋Vendor Advisories

Microsoft

Rootless containers run with Podman receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) con↗2021-02-09

▶

Red Hat

podman: Remote traffic to rootless containers is seen as orginating from localhost↗2021-01-01

▶

Debian

CVE-2021-20199: libpod - Rootless containers run with Podman, receive all traffic with a source IP addres...↗2021

▶