CVE-2020-14370: Infoleak
First published: Mon Aug 31 2020(Updated: )
A flaw was discovered in Podman before upstream version 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first containers will get leaked into subsequent containers. An attacker who has control over those subsequent containers may get access to secrets shared with previous containers through environment variables.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/podman | <0:1.6.4-26.el7_9 | 0:1.6.4-26.el7_9 |
| redhat/podman | <0:1.9.3-3.rhaos4.6.el8 | 0:1.9.3-3.rhaos4.6.el8 |
| Podman Project Podman | <2.0.5 | |
| Redhat Openshift Container Platform | =4.6 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| redhat/podman | <2.0.5 | 2.0.5 |
| go/github.com/containers/podman/v2 | <2.0.5 | 2.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-14370 https://nvd.nist.gov/vuln/detail/CVE-2020-14370
- https://bugzilla.redhat.com/show_bug.cgi?id=1874268
- https://access.redhat.com/errata/RHSA-2020:5056
- https://access.redhat.com/errata/RHSA-2021:0531
- https://access.redhat.com/errata/RHSA-2020:4297
- https://access.redhat.com/security/cve/cve-2020-14370
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6BPCZX4ASKNONL3MSCK564IVXNYSKLP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y74V7HGQBNLT6XECCSNZNFZIB7G7XSAR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z4Y2FSGQWP4AFT5AZ6UBN6RKHVXUBRFV/
- https://github.com/containers/podman/commit/a7e864e6e7de894d4edde4fff00e53dc6a0b5074
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1881345
- https://nvd.nist.gov/vuln/detail/CVE-2020-14370
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6BPCZX4ASKNONL3MSCK564IVXNYSKLP
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y74V7HGQBNLT6XECCSNZNFZIB7G7XSAR
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z4Y2FSGQWP4AFT5AZ6UBN6RKHVXUBRFV
- https://github.com/advisories/GHSA-c3wv-qmjj-45r6 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6BPCZX4ASKNONL3MSCK564IVXNYSKLP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y74V7HGQBNLT6XECCSNZNFZIB7G7XSAR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z4Y2FSGQWP4AFT5AZ6UBN6RKHVXUBRFV/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-14370?
CVE-2020-14370 is an information disclosure vulnerability found in containers/podman versions before 2.0.5.
How does the vulnerability in CVE-2020-14370 work?
The vulnerability in CVE-2020-14370 allows environment variables from the first container to leak into subsequent containers when using the deprecated Varlink API or the Docker-compatible REST API.
What is the severity of CVE-2020-14370?
The severity of CVE-2020-14370 is medium.
How can I fix CVE-2020-14370?
To fix CVE-2020-14370, update to containers/podman version 2.0.5 or later.
Where can I find more information about CVE-2020-14370?
You can find more information about CVE-2020-14370 on the GitHub commit, Bugzilla report, and Red Hat Security Advisory linked in the references section.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-14370
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-c3wv-qmjj-45r6
- agent/last-modified-date
- agent/weakness
- agent/softwarecombine
- agent/event
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- agent/references
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/podman project
- canonical/podman project podman
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.6
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- package-manager/go