CVE-2021-21334 (Medium) detected in github.com/containerd/cri-v1.11.1-0.20200601160732-d7ce093d63d0, github.com/containerd/containerd-6312b52de5ad8fa5637e6d1a24954b68448303a9 #43
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2021-21334 - Medium Severity Vulnerability
github.com/containerd/cri-v1.11.1-0.20200601160732-d7ce093d63d0
Moved to https://github.com/containerd/containerd/tree/master/pkg/cri . If you wish to submit issues/PRs, please submit to https://github.com/containerd/containerd
Library home page: https://proxy.golang.org/github.com/containerd/cri/@v/v1.11.1-0.20200601160732-d7ce093d63d0.zip
Dependency Hierarchy:
github.com/containerd/containerd-6312b52de5ad8fa5637e6d1a24954b68448303a9
An open and reliable container runtime
Library home page: https://proxy.golang.org/github.com/containerd/containerd/@v/v1.4.0-beta.0.0.20200515000003-6312b52de5ad.zip
Dependency Hierarchy:
Found in HEAD commit: d176fc163fbd69f1a628cf9b7ea217423ee02d31
Found in base branch: master
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.
Publish Date: 2021-03-10
URL: CVE-2021-21334
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-6g2q-w5j3-fwh4
Release Date: 2021-03-10
Fix Resolution: v1.3.10,v1.4.4
The text was updated successfully, but these errors were encountered: