{"api_version":"1","generated_at":"2026-04-23T00:42:25+00:00","cve":"CVE-2021-20291","urls":{"html":"https://cve.report/CVE-2021-20291","api":"https://cve.report/api/cve/CVE-2021-20291.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-20291","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-20291"},"summary":{"title":"CVE-2021-20291","description":"A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-04-01 18:15:00","updated_at":"2023-11-07 03:29:00"},"problem_types":["CWE-667"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNMB7O2UIXE34PGSCSOULGHPX5LIJBMM/","name":"FEDORA-2021-83b3740389","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: runc-1.0.0-377.rc93.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1939485","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1939485","refsource":"MISC","tags":[],"title":"1939485 – (CVE-2021-20291) CVE-2021-20291 containers/storage: DoS via malicious image","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYOHNG2Q7DCAQZMGYLMENLKALGDLG3X/","name":"FEDORA-2021-c56a213327","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: skopeo-1.2.3-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WX24EITRXVHDM5M223BVTJA2ODF2FSHI/","name":"FEDORA-2021-a3703b9dc8","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: skopeo-1.2.3-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://unit42.paloaltonetworks.com/cve-2021-20291/","name":"https://unit42.paloaltonetworks.com/cve-2021-20291/","refsource":"MISC","tags":[],"title":"New Vulnerability Affecting Container Engines CRI-O and Podman (CVE-2021-20291)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5D7XL7FL24TWFMGQ3K2S72EOUSLZMKL/","name":"FEDORA-2021-ec00da7faa","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: buildah-1.20.1-4.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPYOHNG2Q7DCAQZMGYLMENLKALGDLG3X/","name":"FEDORA-2021-c56a213327","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: skopeo-1.2.3-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WX24EITRXVHDM5M223BVTJA2ODF2FSHI/","name":"FEDORA-2021-a3703b9dc8","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: skopeo-1.2.3-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNMB7O2UIXE34PGSCSOULGHPX5LIJBMM/","name":"FEDORA-2021-83b3740389","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: runc-1.0.0-377.rc93.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5D7XL7FL24TWFMGQ3K2S72EOUSLZMKL/","name":"FEDORA-2021-ec00da7faa","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: buildah-1.20.1-4.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-20291","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20291","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"20291","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"20291","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"20291","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"20291","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openshift_container_platform","cpe6":"4.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"20291","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"storage_project","cpe5":"storage","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-20291","qid":"159464","title":"Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2021-4154)"},{"cve":"CVE-2021-20291","qid":"160277","title":"Oracle Enterprise Linux Security Update for skopeo (ELSA-2022-7955)"},{"cve":"CVE-2021-20291","qid":"160285","title":"Oracle Enterprise Linux Security Update for buildah (ELSA-2022-8008)"},{"cve":"CVE-2021-20291","qid":"160293","title":"Oracle Enterprise Linux Security Update for podman (ELSA-2022-7954)"},{"cve":"CVE-2021-20291","qid":"182468","title":"Debian Security Update for golang-github-containers-storage (CVE-2021-20291)"},{"cve":"CVE-2021-20291","qid":"239248","title":"Red Hat Update for OpenShift Container Platform 4.7.7 (RHSA-2021:1150)"},{"cve":"CVE-2021-20291","qid":"239825","title":"Red Hat Update for container-tools:rhel8 security (RHSA-2021:4154)"},{"cve":"CVE-2021-20291","qid":"240876","title":"Red Hat Update for podman (RHSA-2022:7954)"},{"cve":"CVE-2021-20291","qid":"240894","title":"Red Hat Update for buildah (RHSA-2022:8008)"},{"cve":"CVE-2021-20291","qid":"240920","title":"Red Hat Update for skopeo (RHSA-2022:7955)"},{"cve":"CVE-2021-20291","qid":"281086","title":"Fedora Security Update for buildah, containers-common (FEDORA-2021-ec00da7faa)"},{"cve":"CVE-2021-20291","qid":"281292","title":"Fedora Security Update for buildah (FEDORA-2021-ec00da7faa)"},{"cve":"CVE-2021-20291","qid":"281300","title":"Fedora Security Update for buildah (FEDORA-2021-83b3740389)"},{"cve":"CVE-2021-20291","qid":"281302","title":"Fedora Security Update for skopeo (FEDORA-2021-c56a213327)"},{"cve":"CVE-2021-20291","qid":"281303","title":"Fedora Security Update for skopeo (FEDORA-2021-a3703b9dc8)"},{"cve":"CVE-2021-20291","qid":"751822","title":"OpenSUSE Security Update for conmon, libcontainers-common, libseccomp, podman (openSUSE-SU-2022:23018-1)"},{"cve":"CVE-2021-20291","qid":"752014","title":"SUSE Enterprise Linux Security Update for conmon, libcontainers-common, libseccomp, podman (SUSE-SU-2022:23018-1)"},{"cve":"CVE-2021-20291","qid":"752601","title":"SUSE Enterprise Linux Security Update for libcontainers-common (SUSE-SU-2022:3312-1)"},{"cve":"CVE-2021-20291","qid":"770057","title":"Red Hat OpenShift Container Platform 4.7.7 Security Update (RHSA-2021:1150)"},{"cve":"CVE-2021-20291","qid":"770088","title":"Red Hat OpenShift Container Platform 4.7 Security Update (RHSA-2021-1150)"},{"cve":"CVE-2021-20291","qid":"940445","title":"AlmaLinux Security Update for container-tools:rhel8 (ALSA-2021:4154)"},{"cve":"CVE-2021-20291","qid":"940827","title":"AlmaLinux Security Update for buildah (ALSA-2022:8008)"},{"cve":"CVE-2021-20291","qid":"940833","title":"AlmaLinux Security Update for skopeo (ALSA-2022:7955)"},{"cve":"CVE-2021-20291","qid":"940834","title":"AlmaLinux Security Update for podman (ALSA-2022:7954)"},{"cve":"CVE-2021-20291","qid":"960213","title":"Rocky Linux Security Update for container-tools:rhel8 (RLSA-2021:4154)"},{"cve":"CVE-2021-20291","qid":"982395","title":"Go (go) Security Update for github.com/containers/storage/pkg/archive (GHSA-7qw8-847f-pggm)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-20291","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"containers/storage","version":{"version_data":[{"version_value":"containers/storage 1.28.1"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-667"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1939485","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1939485"},{"refsource":"FEDORA","name":"FEDORA-2021-ec00da7faa","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5D7XL7FL24TWFMGQ3K2S72EOUSLZMKL/"},{"refsource":"FEDORA","name":"FEDORA-2021-83b3740389","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNMB7O2UIXE34PGSCSOULGHPX5LIJBMM/"},{"refsource":"FEDORA","name":"FEDORA-2021-a3703b9dc8","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WX24EITRXVHDM5M223BVTJA2ODF2FSHI/"},{"refsource":"FEDORA","name":"FEDORA-2021-c56a213327","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYOHNG2Q7DCAQZMGYLMENLKALGDLG3X/"},{"refsource":"MISC","name":"https://unit42.paloaltonetworks.com/cve-2021-20291/","url":"https://unit42.paloaltonetworks.com/cve-2021-20291/"}]},"description":{"description_data":[{"lang":"eng","value":"A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS)."}]}},"nvd":{"publishedDate":"2021-04-01 18:15:00","lastModifiedDate":"2023-11-07 03:29:00","problem_types":["CWE-667"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:N/A:C","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"COMPLETE","baseScore":7.1},"severity":"HIGH","exploitabilityScore":8.6,"impactScore":6.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:storage_project:storage:*:*:*:*:*:*:*:*","versionEndExcluding":"1.28.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"20291","Ordinal":"194332","Title":"CVE-2021-20291","CVE":"CVE-2021-20291","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"20291","Ordinal":"1","NoteData":"A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).","Type":"Description","Title":null},{"CveYear":"2021","CveId":"20291","Ordinal":"2","NoteData":"2021-04-01","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"20291","Ordinal":"3","NoteData":"2021-05-24","Type":"Other","Title":"Modified"}]}}}