{"api_version":"1","generated_at":"2026-04-23T01:32:51+00:00","cve":"CVE-2021-21334","urls":{"html":"https://cve.report/CVE-2021-21334","api":"https://cve.report/api/cve/CVE-2021-21334.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-21334","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-21334"},"summary":{"title":"CVE-2021-21334","description":"In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-03-10 22:15:00","updated_at":"2023-11-07 03:29:00"},"problem_types":["CWE-668"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/","name":"FEDORA-2021-10ce8fcbf1","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: golang-github-containerd-cri-1.19.0-3.20210307gitaa2d5a9.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e","name":"https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Merge pull request from GHSA-6g2q-w5j3-fwh4 · containerd/containerd@05f951a · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/containerd/containerd/releases/tag/v1.3.10","name":"https://github.com/containerd/containerd/releases/tag/v1.3.10","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"Release containerd 1.3.10 · containerd/containerd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/","name":"FEDORA-2021-f049305892","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: golang-github-containerd-cri-1.19.0-3.20210307gitaa2d5a9.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/","name":"FEDORA-2021-470fa24f5b","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 33 Update: containerd-1.4.4-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4","name":"https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"containerd CRI plugin: environment variables can leak between containers · Advisory · containerd/containerd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/containerd/containerd/releases/tag/v1.4.4","name":"https://github.com/containerd/containerd/releases/tag/v1.4.4","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"Release containerd 1.4.4 · containerd/containerd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/","name":"FEDORA-2021-470fa24f5b","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: containerd-1.4.4-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202105-33","name":"GLSA-202105-33","refsource":"GENTOO","tags":[],"title":"containerd: Multiple vulnerabilities (GLSA 202105-33) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/","name":"FEDORA-2021-f049305892","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: golang-github-containerd-cri-1.19.0-3.20210307gitaa2d5a9.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/","name":"FEDORA-2021-10ce8fcbf1","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 33 Update: golang-github-containerd-cri-1.19.0-3.20210307gitaa2d5a9.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-21334","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21334","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"21334","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21334","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21334","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"linuxfoundation","cpe5":"containerd","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-21334","qid":"174971","title":"SUSE Enterprise Linux Security Update for containerd, docker, runc (SUSE-SU-2021:1458-1)"},{"cve":"CVE-2021-21334","qid":"179796","title":"Debian Security Update for containerd (CVE-2021-21334)"},{"cve":"CVE-2021-21334","qid":"198300","title":"Ubuntu Security Notification for Containerd Vulnerability (USN-4881-1)"},{"cve":"CVE-2021-21334","qid":"281523","title":"Fedora Security Update for containerd (FEDORA-2021-470fa24f5b)"},{"cve":"CVE-2021-21334","qid":"281524","title":"Fedora Security Update for golang (FEDORA-2021-f049305892)"},{"cve":"CVE-2021-21334","qid":"281525","title":"Fedora Security Update for golang (FEDORA-2021-10ce8fcbf1)"},{"cve":"CVE-2021-21334","qid":"353048","title":"Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2021-011"},{"cve":"CVE-2021-21334","qid":"353061","title":"Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2021-011"},{"cve":"CVE-2021-21334","qid":"356560","title":"Amazon Linux Security Advisory for containerd : ALAS2ECS-2023-014"},{"cve":"CVE-2021-21334","qid":"500859","title":"Alpine Linux Security Update for containerd"},{"cve":"CVE-2021-21334","qid":"501871","title":"Alpine Linux Security Update for k3s"},{"cve":"CVE-2021-21334","qid":"504641","title":"Alpine Linux Security Update for containerd"},{"cve":"CVE-2021-21334","qid":"6140347","title":"AWS Bottlerocket Security Update for containerd (GHSA-jcqh-gjq8-fxgq)"},{"cve":"CVE-2021-21334","qid":"710081","title":"Gentoo Linux containerd Multiple vulnerabilities (GLSA 202105-33)"},{"cve":"CVE-2021-21334","qid":"750155","title":"SUSE Enterprise Linux Security Update for containerd, docker, runc (SUSE-SU-2021:1954-1)"},{"cve":"CVE-2021-21334","qid":"750648","title":"OpenSUSE Security Update for containerd, docker, runc (openSUSE-SU-2021:0878-1)"},{"cve":"CVE-2021-21334","qid":"750812","title":"OpenSUSE Security Update for containerd, docker, runc (openSUSE-SU-2021:1954-1)"},{"cve":"CVE-2021-21334","qid":"900210","title":"CBL-Mariner Linux Security Update for zstd 1.4.4"},{"cve":"CVE-2021-21334","qid":"900211","title":"CBL-Mariner Linux Security Update for moby-containerd 1.4.4"},{"cve":"CVE-2021-21334","qid":"903258","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (4430)"},{"cve":"CVE-2021-21334","qid":"997017","title":"GO (Go) Security Update for github.com/containerd/containerd (GHSA-6g2q-w5j3-fwh4)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-21334","STATE":"PUBLIC","TITLE":"environment variable leak"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"containerd","version":{"version_data":[{"version_value":"< 1.3.10"},{"version_value":">= 1.4.0, < 1.4.4"}]}}]},"vendor_name":"containerd"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.3,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"{\"CWE-668\":\"Exposure of Resource to Wrong Sphere\"}"}]}]},"references":{"reference_data":[{"name":"https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4","refsource":"CONFIRM","url":"https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4"},{"name":"https://github.com/containerd/containerd/releases/tag/v1.4.4","refsource":"MISC","url":"https://github.com/containerd/containerd/releases/tag/v1.4.4"},{"name":"https://github.com/containerd/containerd/releases/tag/v1.3.10","refsource":"MISC","url":"https://github.com/containerd/containerd/releases/tag/v1.3.10"},{"name":"https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e","refsource":"MISC","url":"https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e"},{"refsource":"FEDORA","name":"FEDORA-2021-470fa24f5b","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/"},{"refsource":"FEDORA","name":"FEDORA-2021-10ce8fcbf1","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/"},{"refsource":"FEDORA","name":"FEDORA-2021-f049305892","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/"},{"refsource":"GENTOO","name":"GLSA-202105-33","url":"https://security.gentoo.org/glsa/202105-33"}]},"source":{"advisory":"GHSA-6g2q-w5j3-fwh4","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-03-10 22:15:00","lastModifiedDate":"2023-11-07 03:29:00","problem_types":["CWE-668"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*","versionStartIncluding":"1.4.0","versionEndExcluding":"1.4.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*","versionEndExcluding":"1.3.10","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"21334","Ordinal":"195460","Title":"CVE-2021-21334","CVE":"CVE-2021-21334","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"21334","Ordinal":"1","NoteData":"In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"21334","Ordinal":"2","NoteData":"2021-03-10","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"21334","Ordinal":"3","NoteData":"2021-05-26","Type":"Other","Title":"Modified"}]}}}