By the Year
In 2022 there have been 2 vulnerabilities in Podmanproject Podman with an average score of 8.2 out of ten. Last year Podman had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Podman in 2022 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2022 is greater by 1.68.
It may take a day or so for new Podman vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Podmanproject Podman Security Vulnerabilities
A privilege escalation flaw was found in Podman
8.8 - High
- April 29, 2022
A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.
Improper Privilege Management
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions
7.5 - High
- April 04, 2022
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
Incorrect Default Permissions
A flaw was found in podman
6.5 - Medium
- December 23, 2021
A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.
A flaw was found in podman before 1.7.0
7 - High
- February 11, 2021
A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts)
5.9 - Medium
- February 02, 2021
Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.
Origin Validation Error
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5
6.5 - Medium
- September 23, 2020
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
Improper Removal of Sensitive Information Before Storage or Transfer