CVE-2020-14370

NameCVE-2020-14370
DescriptionAn information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpod (PTS)bullseye3.0.1+dfsg1-3+deb11u5fixed
bookworm4.3.1+ds1-8fixed
trixie4.9.3+ds1-1fixed
sid4.9.4+ds1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpodsource(unstable)2.0.6+dfsg1-1

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1874268
https://github.com/containers/podman/commit/a7e864e6e7de894d4edde4fff00e53dc6a0b5074
Search for package or bug name: Reporting problems