CVE-2021-21334 — Resource Exposure in Containerd

CWE-668 — Resource Exposure CWE-200 — Sensitive Information Exposure9 documents8 sources

Severity

6.3MEDIUMNVD

EPSS

0.5%

top 35.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Containerd Github.com Containerd Containerd Linuxfoundation Containerd +1 more

Timeline

PublishedMar 10

Latest updateJan 31

Description

In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally sha…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 1.8 | Impact: 4.0

Affected Packages4 packages

▶CVEListV5containerd/containerd< 1.3.10+1

▶NVDlinuxfoundation/containerd1.4.0 — 1.4.4+1

▶Gogithub.com/containerd_containerd1.4.0 — 1.4.4+1

▶Debiancontainerd/containerd< 1.4.4~ds1-1+3

Also affects: Fedora 33, 34

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

containerd environment variable leak↗2024-01-31

▶

GHSA

containerd environment variable leak↗2024-01-31

▶

CVEList

environment variable leak↗2021-03-10

▶

OSV

CVE-2021-21334: In containerd (an industry-standard container runtime) before versions 1↗2021-03-10

▶

📋Vendor Advisories

Ubuntu

containerd vulnerability↗2021-03-17

▶

Microsoft

environment variable leak↗2021-03-09

▶

Red Hat

plugin: information leak between containers via environment variables↗2021-03-05

▶

Debian

CVE-2021-21334: containerd - In containerd (an industry-standard container runtime) before versions 1.3.10 an...↗2021

▶