CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-2739 – podman: Security regression of CVE-2020-14370 due to source code management issue
https://notcve.org/view.php?id=CVE-2022-2739
22 Aug 2022 — The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker to gain access to sensitive information stored in environment variables. La versión de podman publicada para Red Hat Enterprise Linux 7 Extras por medio del aviso RHSA-2022:2190 incluía una versión incorrecta de podman que carecía de la correcci... • https://access.redhat.com/security/cve/CVE-2022-2739 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 0CVE-2022-2738 – podman: Security regression of CVE-2020-8945 due to source code management issue
https://notcve.org/view.php?id=CVE-2022-2738
22 Aug 2022 — The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-8945, which was previously fixed via RHSA-2020:2117. This issue could possibly be used to crash or cause potential code execution in Go applications that use the Go GPGME wrapper library, under certain conditions, during GPG signature verification. La versión de podman publicada para Red Hat Enterprise Linux 7 Extras por medio del aviso RHSA... • https://access.redhat.com/security/cve/CVE-2022-2738 • CWE-416: Use After Free •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 1CVE-2019-25067 – Podman/Varlink API Privilege Escalation
https://notcve.org/view.php?id=CVE-2019-25067
09 Jun 2022 — A vulnerability, which was classified as critical, was found in Podman and Varlink 1.5.1. This affects an unknown part of the component API. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/containers/podman/issues/21628 •
CVSS: 8.8EPSS: 26%CPEs: 20EXPL: 2CVE-2022-1227 – psgo: Privilege escalation in 'podman top'
https://notcve.org/view.php?id=CVE-2022-1227
29 Apr 2022 — A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service. Se ha encontrado un fallo de escalada de privilegios en Podman. • https://github.com/iridium-soda/CVE-2022-1227_Exploit • CWE-269: Improper Privilege Management CWE-281: Improper Preservation of Permissions •
CVSS: 7.5EPSS: 0%CPEs: 24EXPL: 0CVE-2022-27649 – podman: Default inheritable capabilities for linux container should be empty
https://notcve.org/view.php?id=CVE-2022-27649
04 Apr 2022 — A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. Se ha encontrado un fallo en Podman, donde los contenedores eran iniciados incorrectamente con per... • https://bugzilla.redhat.com/show_bug.cgi?id=2066568 • CWE-276: Incorrect Default Permissions •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-4024 – podman: podman machine spawns gvproxy with port bound to all IPs
https://notcve.org/view.php?id=CVE-2021-4024
23 Dec 2021 — A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt th... • https://bugzilla.redhat.com/show_bug.cgi?id=2026675%2C • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-346: Origin Validation Error •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20188 – podman: container users permissions are not respected in privileged containers
https://notcve.org/view.php?id=CVE-2021-20188
11 Feb 2021 — A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerabilit... • https://bugzilla.redhat.com/show_bug.cgi?id=1915734 • CWE-863: Incorrect Authorization •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2021-20199 – podman: Remote traffic to rootless containers is seen as orginating from localhost
https://notcve.org/view.php?id=CVE-2021-20199
02 Feb 2021 — Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards. Los contenedores Rootless se ejecutan con Podman, reciben todo el tráfico con una dirección IP de origen 127.0.0.1 (incluyendo desde hosts remotos). Esto afecta a las aplicaciones en contenedores que confían en... • https://bugzilla.redhat.com/show_bug.cgi?id=1919050 • CWE-346: Origin Validation Error •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2020-14370 – podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API
https://notcve.org/view.php?id=CVE-2020-14370
23 Sep 2020 — An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables. Se encontró una vulnerabilidad de divulgación ... • https://bugzilla.redhat.com/show_bug.cgi?id=1874268 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •