CVE-2020-14370

MEDIUM

Podman < 2.0.5 - Information Disclosure

Title source: rule

Description

An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.

References (4)

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6BPCZX4ASKNONL3MSCK564IVXNYSKLP/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y74V7HGQBNLT6XECCSNZNFZIB7G7XSAR/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z4Y2FSGQWP4AFT5AZ6UBN6RKHVXUBRFV/

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1874268

Scores

CVSS v3 5.3

EPSS 0.0018

EPSS Percentile 38.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-212

Status published

Products (8)

containers/podman 0 - 2.0.5Go

fedoraproject/fedora 31

fedoraproject/fedora 32

fedoraproject/fedora 33

podman_project/podman < 2.0.5

redhat/enterprise_linux 7.0

redhat/enterprise_linux 8.0

redhat/openshift_container_platform 4.6

Published Sep 23, 2020

Tracked Since Feb 18, 2026