CVE-2021-20206

Name
CVE-2021-20206
Description
An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1919391
Third Party Advisory https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cncf:container_network_interface:*:*:*:*:*:*:*:* container_network_interface >= None < 0.8.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status