CVE-2020-14370

CVE	CVE-2020-14370
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-09-23 13:15:00 UTC
Updated	2023-11-07 03:17:00 UTC
Description	An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.

Problem Types: CWE-212

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Fedoraproject	Fedora	31	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Application	Podman Project	Podman	All	All	All	All
Application	Podman Project	Podman	All	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Application	Redhat	Openshift Container Platform	3.11	All	All	All
Application	Redhat	Openshift Container Platform	4.0	All	All	All
Application	Redhat	Openshift Container Platform	4.6	All	All	All
Application	Redhat	Openshift Container Platform	3.11	All	All	All
Application	Redhat	Openshift Container Platform	4.0	All	All	All

Reference	Source	Link	Tags
[SECURITY] Fedora 33 Update: crun-0.15-5.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 33 Update: crun-0.15-5.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 31 Update: podman-2.1.1-3.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 32 Update: podman-2.1.1-7.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 31 Update: podman-2.1.1-3.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 32 Update: podman-2.1.1-7.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
1874268 – (CVE-2020-14370) CVE-2020-14370 podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API	MISC	bugzilla.redhat.com	Issue Tracking, Patch, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

377377 Alibaba Cloud Linux Security Update for container-tools:rhel8 (ALINUX3-SA-2021:0013)
501896 Alpine Linux Security Update for podman
750546 OpenSUSE Security Update for podman (openSUSE-SU-2020:2063-1)
750558 OpenSUSE Security Update for podman (openSUSE-SU-2020:2039-1)
751822 OpenSUSE Security Update for conmon, libcontainers-common, libseccomp, podman (openSUSE-SU-2022:23018-1)
752014 SUSE Enterprise Linux Security Update for conmon, libcontainers-common, libseccomp, podman (SUSE-SU-2022:23018-1)
752601 SUSE Enterprise Linux Security Update for libcontainers-common (SUSE-SU-2022:3312-1)
770039 Red Hat OpenShift Container Platform 4.6.1 Package Security Update (RHSA-2020:4297)
940304 AlmaLinux Security Update for container-tools:rhel8 (ALSA-2021:0531)
960720 Rocky Linux Security Update for container-tools:rhel8 (RLSA-2021:0531)