CVE-2021-20291: Improper Locking in github.com/containers/storage
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30495%
CWE
Published
5/10/2021
Updated
2/14/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/containers/storage | go | < 1.28.1 | 1.28.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper handling of xz
decompression via external processes. The removed xzDecompress
function and its dependency on cmdStream
created a scenario where incomplete stream consumption (due to invalid tar data) would leave goroutines blocked on channel operations. The fix replaced shell-out logic with a native xz
library, eliminating the problematic process
management. The functions
directly involved in external process
execution and stream coordination are clearly identified in the diff
as the root cause.