CVE-2021-21334
published 2021-03-10CVE-2021-21334: In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through…
PriorityP337medium6.3CVSS 3.1
AVNACHPRLUINSCCHINAN
EPSS
2.04%
78.8th percentile
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| containerd | containerd | < 1.3.10 | 1.3.10 |
| containerd | containerd | — | — |
| containerd | containerd | >= 0 < 1.4.4~ds1-1 | 1.4.4~ds1-1 |
| containerd | containerd | >= 0 < 1.4.4~ds1-1 | 1.4.4~ds1-1 |
| containerd | containerd | >= 0 < 1.4.4~ds1-1 | 1.4.4~ds1-1 |
| containerd | containerd | >= 0 < 1.4.4~ds1-1 | 1.4.4~ds1-1 |
| debian | containerd | < containerd 1.4.4~ds1-1 (bookworm) | containerd 1.4.4~ds1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | containerd_containerd | >= 0 < 1.3.10 | 1.3.10 |
| github.com | containerd_containerd | >= 1.4.0 < 1.4.4 | 1.4.4 |
| linuxfoundation | containerd | < 1.3.10 | 1.3.10 |
| linuxfoundation | containerd | >= 1.4.0 < 1.4.4 | 1.4.4 |
| msrc | azl3_kata-containers_3.15.0.aks0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_moby-containerd_1.4.4+azure-2_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv6.3MEDIUM
vendor_debian6.3MEDIUM
vendor_msrc6.3MEDIUM
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
containerd vulnerability
vendor_ubuntu·2021-03-17
CVE-2021-21334 containerd vulnerability
Title: containerd vulnerability
Summary: The system could be made to expose sensitive information.
It was discovered that containerd incorrectly handled certain environment
variables. Contrary to expectations, a container could receive environment
variables defined for a different container, possibly containing sensitive
information.
Instructions: After a standard system update you need to restart containerd to make
all the necessary changes.
Microsoft
environment variable leak
vendor_msrc·2021-03-09·CVSS 6.3
CVE-2021-21334 [MEDIUM] CWE-668 environment variable leak
environment variable leak
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azu
Red Hat
plugin: information leak between containers via environment variables
vendor_redhat·2021-03-05·CVSS 6.3
CVE-2021-21334 [MEDIUM] CWE-200 plugin: information leak between containers via environment variables
plugin: information leak between containers via environment variables
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image
Debian
CVE-2021-21334: containerd - In containerd (an industry-standard container runtime) before versions 1.3.10 an...
vendor_debian·2021·CVSS 6.3
CVE-2021-21334 [MEDIUM] CVE-2021-21334: containerd - In containerd (an industry-standard container runtime) before versions 1.3.10 an...
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to t
OSV
containerd environment variable leak
osv·2024-01-31
CVE-2021-21334 [MEDIUM] containerd environment variable leak
containerd environment variable leak
## Impact
Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.
If you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue.
If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue.
If you are not launching m
GHSA
containerd environment variable leak
ghsa·2024-01-31
CVE-2021-21334 [MEDIUM] CWE-200 containerd environment variable leak
containerd environment variable leak
## Impact
Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.
If you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue.
If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue.
If you are not launching m
OSV
CVE-2021-21334: In containerd (an industry-standard container runtime) before versions 1
osv·2021-03-10·CVSS 6.3
CVE-2021-21334 [MEDIUM] CVE-2021-21334: In containerd (an industry-standard container runtime) before versions 1
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to t
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8ehttps://github.com/containerd/containerd/releases/tag/v1.3.10https://github.com/containerd/containerd/releases/tag/v1.4.4https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/https://security.gentoo.org/glsa/202105-33https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8ehttps://github.com/containerd/containerd/releases/tag/v1.3.10https://github.com/containerd/containerd/releases/tag/v1.4.4https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/https://security.gentoo.org/glsa/202105-33
2021-03-10
Published