Miggo Logo

CVE-2021-20291: Improper Locking in github.com/containers/storage

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.30495%
Published
5/10/2021
Updated
2/14/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/containers/storagego< 1.28.11.28.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper handling of xz decompression via external processes. The removed xzDecompress function and its dependency on cmdStream created a scenario where incomplete stream consumption (due to invalid tar data) would leave goroutines blocked on channel operations. The fix replaced shell-out logic with a native xz library, eliminating the problematic process management. The functions directly involved in external process execution and stream coordination are clearly identified in the diff as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* ****lo*k vuln*r**ility w*s *oun* in `*it*u*.*om/*ont*in*rs/stor***` in v*rsions ***or* *.**.*. W**n * *ont*in*r im*** is pro**ss**, **** l*y*r is unp**k** usin* `t*r`. I* on* o* t*os* l*y*rs is not * v*li* `t*r` *r**iv* t*is **us*s *n *rror l***in*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* `xz` ***ompr*ssion vi* *xt*rn*l pro**ss*s. T** r*mov** `xz***ompr*ss` *un*tion *n* its **p*n**n*y on `*m*Str**m` *r**t** * s**n*rio w**r* in*ompl*t* str**m *onsumption (*u* to inv*li* t*r **t*) woul