CVE-2021-4024
MEDIUMPodman <3.4.3 - gvproxy API Exposure Allows Host-to-VM Port Forwarding
Title source: manualDescription
A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.
References (3)
Core 3
Core References
Issue Tracking x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2026675%2C
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/containers/podman/releases/tag/v3.4.3
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFFVJ6S3ZRMPDYB7KYAWEMDHXFZYQPU3/
Scores
CVSS v3
6.5
EPSS
0.0009
EPSS Percentile
26.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Details
CWE
CWE-346
CWE-200
Status
published
Products (5)
containers/podman
0 - 3.4.3Go
fedoraproject/fedora
34
fedoraproject/fedora
35
podman_project/podman
3.3.0 - 3.4.3
redhat/enterprise_linux
8.0
Published
Dec 23, 2021
Tracked Since
Feb 18, 2026