4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
50.0%
Severity: High
Date : 2020-09-26
CVE-ID : CVE-2020-14370
Package : podman
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-1233
The package podman before version 2.1.0-1 is vulnerable to information
disclosure.
Upgrade to 2.1.0-1.
The problem has been fixed upstream in version 2.1.0.
None.
A flaw was discovered in Podman before upstream version 2.0.5. When
using the deprecated Varlink API or the Docker-compatible REST API, if
multiple containers are created in a short duration, the environment
variables from the first containers will get leaked into subsequent
containers. An attacker who has control over those subsequent
containers may get access to secrets shared with previous containers
through environment variables.
A local privileged user can potentially view secrets in environment
variables.
https://github.com/containers/podman/commit/a7e864e6e7de894d4edde4fff00e53dc6a0b5074
https://security.archlinux.org/CVE-2020-14370
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
50.0%