Vulnerability Details : CVE-2020-14370
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
Vulnerability category: Information leak
Products affected by CVE-2020-14370
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:a:podman_project:podman:*:*:*:*:*:*:*:*
Threat overview for CVE-2020-14370
Top countries where our scanners detected CVE-2020-14370
Top open port discovered on systems with this issue
53
IPs affected by CVE-2020-14370 676,294
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2020-14370!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2020-14370
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-14370
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.6
|
3.6
|
NIST |
CWE ids for CVE-2020-14370
-
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2020-14370
-
https://bugzilla.redhat.com/show_bug.cgi?id=1874268
1874268 – (CVE-2020-14370) CVE-2020-14370 podman: environment variables leak between containers when started via Varlink or Docker-compatible REST APIIssue Tracking;Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6BPCZX4ASKNONL3MSCK564IVXNYSKLP/
[SECURITY] Fedora 32 Update: podman-2.1.1-7.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z4Y2FSGQWP4AFT5AZ6UBN6RKHVXUBRFV/
[SECURITY] Fedora 31 Update: podman-2.1.1-3.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y74V7HGQBNLT6XECCSNZNFZIB7G7XSAR/
[SECURITY] Fedora 33 Update: crun-0.15-5.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to