CVE-2020-14370

Name
CVE-2020-14370
Description
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1874268
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6BPCZX4ASKNONL3MSCK564IVXNYSKLP/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y74V7HGQBNLT6XECCSNZNFZIB7G7XSAR/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z4Y2FSGQWP4AFT5AZ6UBN6RKHVXUBRFV/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:podman_project:podman:*:*:*:*:*:*:*:* podman >= None < 2.0.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
podman edge-community 2.0.5-r0 None fixed
podman edge-community 1.8.1-r0 None possibly vulnerable
podman 3.22-community 2.0.5-r0 None fixed
podman 3.22-community 1.8.1-r0 None possibly vulnerable
podman 3.21-community 2.0.5-r0 None fixed
podman 3.20-community 2.0.5-r0 None fixed
podman 3.19-community 2.0.5-r0 None fixed
podman 3.18-community 2.0.5-r0 None fixed
podman 3.17-community 2.0.5-r0 None fixed