Vulnerability Description
An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Container Network Interface | < 0.8.1 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1919391Issue TrackingThird Party Advisory
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-107054Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1919391Issue TrackingThird Party Advisory
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-107054Third Party Advisory
FAQ
What is CVE-2021-20206?
CVE-2021-20206 is a vulnerability with a CVSS score of 7.2 (HIGH). An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possi...
How severe is CVE-2021-20206?
CVE-2021-20206 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-20206?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Container Network Interface.