{
  "threat_severity" : "Moderate",
  "public_date" : "2020-09-22T00:00:00Z",
  "bugzilla" : {
    "description" : "podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API",
    "id" : "1874268",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1874268"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-212",
  "details" : [ "An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.", "An information disclosure flaw was found in containers/podman. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container leak into subsequent containers. This flaw allows an attacker who controls the subsequent containers to gain access to sensitive information stored in such variables. The highest threat from this vulnerability is to confidentiality." ],
  "statement" : "Whilst OpenShift Container Platform (OCP) does include podman, the Varlink API is not enabled by default. However, as it is trivial to activate this feature, OCP has been marked as affected.\nOCP 3.11 has previously packaged podman, but instead now relies on the version from rhel-extra.The older version previously packaged is not vulnerable to this CVE and hence has been marked not affected.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7 Extras",
    "release_date" : "2020-11-10T00:00:00Z",
    "advisory" : "RHSA-2020:5056",
    "cpe" : "cpe:/a:redhat:rhel_extras_other:7",
    "package" : "podman-0:1.6.4-26.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-02-16T00:00:00Z",
    "advisory" : "RHSA-2021:0531",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "container-tools:rhel8-8030120210208205200.c127ee91"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2020-10-27T00:00:00Z",
    "advisory" : "RHSA-2020:4297",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el8",
    "package" : "podman-0:1.9.3-3.rhaos4.6.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "container-tools:1.0/podman",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "container-tools:2.0/podman",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Not affected",
    "package_name" : "podman",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-14370\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14370" ],
  "name" : "CVE-2020-14370",
  "csaw" : false
}