Podman Project Podman vulnerabilities

CVE-2024-3056 [HIGH] CWE-400 CVE-2024-3056: A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious

CVE-2022-4122 [MEDIUM] CWE-59 CVE-2022-4122: A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.

CVE-2022-4123 [LOW] CWE-23 CVE-2022-4123: A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to inco A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.

CVE-2022-2738 [HIGH] CVE-2022-2738: The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-8945, which was previously fixed via RHSA-2020:2117. This issue could possibly be used to crash or cause potential code execution in Go applications that use the Go GPGME wrapper library, under c

CVE-2022-2739 [MEDIUM] CVE-2022-2739: The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker to gain access to sensitive information stored in environment variables.

CVE-2019-25067 [MEDIUM] CVE-2019-25067: A vulnerability, which was classified as critical, was found in Podman and Varlink 1.5.1. This affec A vulnerability, which was classified as critical, was found in Podman and Varlink 1.5.1. This affects an unknown part of the component API. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-143949 was assigned to this vulner

CVE-2022-1227 [HIGH] CWE-281 CVE-2022-1227: A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or

CVE-2022-27649 [HIGH] CWE-276 CVE-2022-27649: A flaw was found in Podman, where containers were started incorrectly with non-empty default permiss A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate

CVE-2021-4024 [MEDIUM] CWE-200 CVE-2021-4024: A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` A

CVE-2021-20188 [HIGH] CWE-863 CVE-2021-20188: A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the containe

CVE-2021-20199 [MEDIUM] CWE-346 CVE-2021-20199: Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (incl Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.

CVE-2020-14370 [MEDIUM] CWE-212 CVE-2020-14370: An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. Whe An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control ov