Vulnerability Description
A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Podman Project | Podman | >= 3.3.0, < 3.4.3 |
| Fedoraproject | Fedora | 34 |
| Redhat | Enterprise Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2026675%2C
- https://github.com/containers/podman/releases/tag/v3.4.3Release NotesThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://bugzilla.redhat.com/show_bug.cgi?id=2026675%2C
- https://github.com/containers/podman/releases/tag/v3.4.3Release NotesThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2021-4024?
CVE-2021-4024 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` AP...
How severe is CVE-2021-4024?
CVE-2021-4024 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-4024?
Check the references section above for vendor advisories and patch information. Affected products include: Podman Project Podman, Fedoraproject Fedora, Redhat Enterprise Linux.