{"api_version":"1","generated_at":"2026-04-23T00:59:50+00:00","cve":"CVE-2021-20199","urls":{"html":"https://cve.report/CVE-2021-20199","api":"https://cve.report/api/cve/CVE-2021-20199.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-20199","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-20199"},"summary":{"title":"CVE-2021-20199","description":"Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-02-02 19:15:00","updated_at":"2021-02-26 03:32:00"},"problem_types":["CWE-346"],"metrics":[],"references":[{"url":"https://github.com/rootless-containers/rootlesskit/pull/206","name":"https://github.com/rootless-containers/rootlesskit/pull/206","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"port: add ChildIP by giuseppe · Pull Request #206 · rootless-containers/rootlesskit · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1919050","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1919050","refsource":"MISC","tags":["Issue Tracking","Third Party Advisory"],"title":"1919050 – (CVE-2021-20199) CVE-2021-20199 podman: Remote traffic to rootless containers is seen as orginating from localhost","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/containers/podman/issues/5138","name":"https://github.com/containers/podman/issues/5138","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Source IP always 127.0.0.1 in rootless Podman 1.8.0 · Issue #5138 · containers/podman · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/containers/podman/pull/9052","name":"https://github.com/containers/podman/pull/9052","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"rootlessport: set source IP to slirp4netns device by giuseppe · Pull Request #9052 · containers/podman · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-20199","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20199","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"20199","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"podman_project","cpe5":"podman","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"20199","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"podman_project","cpe5":"podman","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-20199","qid":"159458","title":"Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2021-1796)"},{"cve":"CVE-2021-20199","qid":"160293","title":"Oracle Enterprise Linux Security Update for podman (ELSA-2022-7954)"},{"cve":"CVE-2021-20199","qid":"180303","title":"Debian Security Update for rootlesskitlibpod (CVE-2021-20199)"},{"cve":"CVE-2021-20199","qid":"239301","title":"Red Hat Update for container-tools:rhel8 (RHSA-2021:1796)"},{"cve":"CVE-2021-20199","qid":"240876","title":"Red Hat Update for podman (RHSA-2022:7954)"},{"cve":"CVE-2021-20199","qid":"501897","title":"Alpine Linux Security Update for podman"},{"cve":"CVE-2021-20199","qid":"751822","title":"OpenSUSE Security Update for conmon, libcontainers-common, libseccomp, podman (openSUSE-SU-2022:23018-1)"},{"cve":"CVE-2021-20199","qid":"752014","title":"SUSE Enterprise Linux Security Update for conmon, libcontainers-common, libseccomp, podman (SUSE-SU-2022:23018-1)"},{"cve":"CVE-2021-20199","qid":"752601","title":"SUSE Enterprise Linux Security Update for libcontainers-common (SUSE-SU-2022:3312-1)"},{"cve":"CVE-2021-20199","qid":"753592","title":"SUSE Enterprise Linux Security Update for podman (SUSE-SU-2023:0187-1)"},{"cve":"CVE-2021-20199","qid":"753659","title":"SUSE Enterprise Linux Security Update for podman (SUSE-SU-2023:0326-1)"},{"cve":"CVE-2021-20199","qid":"901065","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for podman (7329)"},{"cve":"CVE-2021-20199","qid":"902632","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for podman (7329-1)"},{"cve":"CVE-2021-20199","qid":"940208","title":"AlmaLinux Security Update for container-tools:rhel8 (ALSA-2021:1796)"},{"cve":"CVE-2021-20199","qid":"940834","title":"AlmaLinux Security Update for podman (ALSA-2022:7954)"},{"cve":"CVE-2021-20199","qid":"960349","title":"Rocky Linux Security Update for container-tools:rhel8 (RLSA-2021:1796)"},{"cve":"CVE-2021-20199","qid":"982548","title":"Go (go) Security Update for github.com/containers/podman/v3 (GHSA-grh6-q6m2-rh72)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-20199","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"podman","version":{"version_data":[{"version_value":"podman 1.8.0 onwards"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-346"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1919050","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1919050"},{"refsource":"MISC","name":"https://github.com/containers/podman/issues/5138","url":"https://github.com/containers/podman/issues/5138"},{"refsource":"MISC","name":"https://github.com/rootless-containers/rootlesskit/pull/206","url":"https://github.com/rootless-containers/rootlesskit/pull/206"},{"refsource":"MISC","name":"https://github.com/containers/podman/pull/9052","url":"https://github.com/containers/podman/pull/9052"}]},"description":{"description_data":[{"lang":"eng","value":"Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards."}]}},"nvd":{"publishedDate":"2021-02-02 19:15:00","lastModifiedDate":"2021-02-26 03:32:00","problem_types":["CWE-346"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.2,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:podman_project:podman:*:*:*:*:*:*:*:*","versionStartIncluding":"1.8.0","versionEndExcluding":"3.0.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"20199","Ordinal":"194240","Title":"CVE-2021-20199","CVE":"CVE-2021-20199","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"20199","Ordinal":"1","NoteData":"Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"20199","Ordinal":"2","NoteData":"2021-02-02","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"20199","Ordinal":"3","NoteData":"2021-02-02","Type":"Other","Title":"Modified"}]}}}