#VU54940 Information disclosure in Podman - CVE-2021-3602

Cybersecurity Help s.r.o.

Published: 2021-07-19

Vulnerability identifier: #VU54940

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3602

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Podman
Universal components / Libraries / Libraries used by multiple products

Vendor: Container Projects

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to podman build command with the --isolation chroot flag includes environment variables from the host. A remote attacker with access to the container can obtain sensitive information from environment variables.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Podman: 3.0.0 rc1 - 3.2.2

External links
https://github.com/containers/libpod/releases/tag/v3.2.3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for libcontainers-common

Red Hat Enterprise Linux 8 update for the container-tools:3.0 module

Red Hat Enterprise Linux 8 update for the container-tools:2.0 module

Red Hat Enterprise Linux 8 update for the container-tools:rhel8 module

Information disclosure in Buildah

Information disclosure in libpod

Fedora 34 update for podman

Fedora 33 update for buildah

Fedora 34 update for buildah

Fedora 33 update for containernetworking-plugins, containers-common, crun, podman, skopeo