<p>Upgrade <code>github.com/containers/podman/v3/pkg/machine</code> to version 3.4.3 or higher.</p>

machine package, versions <3.4.3

Threat Intelligence

0.11% (46^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-GOLANG-GITHUBCOMCONTAINERSPODMANV3PKGMACHINE-1932536
published 28 Nov 2021
disclosed 24 Nov 2021
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 24 Nov 2021

CVE-2021-4024 Open this link in a new tab CWE-200 Open this link in a new tab CWE-346 Open this link in a new tab

How to fix?

Upgrade github.com/containers/podman/v3/pkg/machine to version 3.4.3 or higher.

Overview

github.com/containers/podman/v3/pkg/machine is an is a package for creating podman-machines.

Affected versions of this package are vulnerable to Information Exposure via the podman machine function which spawns gvproxy with port 7777 bound to all IPs on the host. If the same port is open on the host's firewall, it's possible to make private services on the VM (podman machine creates VMs running podman process) accessible to the network, as well as forward all ports of the host to the VM.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

High
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

Low
Integrity (I)

None
Availability (A)

Low

Information Exposure Affecting github.com/containers/podman/v3/pkg/machine package, versions <3.4.3

Severity

CVSS assessment made by Snyk's Security Team

Threat Intelligence

Introduced: 24 Nov 2021

How to fix?

Overview

References

CVSS Scores

Snyk

NVD

SUSE

Red Hat