Information Disclosure

Affecting github.com/containers/podman/pkg/env package, versions <2.0.5

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

github.com/containers/podman/pkg/env is a Package for processing environment variables.

Affected versions of this package are vulnerable to Information Disclosure. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.

Remediation

Upgrade github.com/containers/podman/pkg/env to version 2.0.5 or higher.

References

CVSS Score

8.2
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:R
Credit
Unknown
CVE
CVE-2020-14370
CWE
CWE-200
Snyk ID
SNYK-GOLANG-GITHUBCOMCONTAINERSPODMANPKGENV-1012561
Disclosed
24 Sep, 2020
Published
24 Sep, 2020