Miggo Logo
Miggo Vulnerability Database
CVE-2020-14370

CVE-2020-14370: Information disclosure in podman

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-14370
GHSA ID
GHSA-c3wv-qmjj-45r6
EPSS Score
0.31132%
CWE
CWE-200
Published
4/24/2024
Updated
4/24/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/containers/podman/v2go< 2.0.52.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using a mutable global variable (DefaultEnvVariables) for environment defaults. The pre-patch code in spec.go's createConfigToOCISpec directly used this variable and passed it to env.Join, which modified the shared map. The combination of: 1) using a shared map reference for default environment variables, and 2) Join's mutation of this map without isolation, caused cross-container leaks. The patch fixed this by replacing the variable with a function (DefaultEnvVariables()) that returns new map instances, eliminating shared state.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n in*orm*tion *is*losur* vuln*r**ility w*s *oun* in *ont*in*rs/po*m*n in v*rsions ***or* *.*.*. W**n usin* t** **pr***t** V*rlink *PI or t** *o*k*r-*omp*ti*l* R*ST *PI, i* multipl* *ont*in*rs *r* *r**t** in * s*ort *ur*tion, t** *nvironm*nt v*ri**l*

Reasoning

T** vuln*r**ility st*mm** *rom usin* * mut**l* *lo**l v*ri**l* (****ult*nvV*ri**l*s) *or *nvironm*nt ****ults. T** pr*-p*t** *o** in `sp**.*o`'s `*r**t**on*i*ToO*ISp**` *ir**tly us** t*is v*ri**l* *n* p*ss** it to `*nv.Join`, w*i** mo*i*i** t** s**r*