VulnerableCode Package Details - pkg:alpm/archlinux/podman@3.4.2-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-e4bk-d465-juhk Aliases: CVE-2021-41190 GHSA-mc8v-mgrf-8f4m	Clarify Content-Type handling ### Impact In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. ### Patches The OCI Distribution Specification will be updated to require that a `mediaType` value present in a manifest or index match the Content-Type header used during the push and pull operations. ### Workarounds Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields. ### References https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/opencontainers/distribution-spec/ * Email us at security@opencontainers.org	3.4.4-1 Affected by 0 other vulnerabilities.
VCID-mzjw-b6mh-nugs Aliases: CVE-2021-4024 GHSA-3cf2-x423-x582	Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation Error in podman A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.	3.4.4-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-e4bk-d465-juhk
Aliases:
CVE-2021-41190
GHSA-mc8v-mgrf-8f4m

Clarify Content-Type handling ### Impact In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. ### Patches The OCI Distribution Specification will be updated to require that a `mediaType` value present in a manifest or index match the Content-Type header used during the push and pull operations. ### Workarounds Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields. ### References https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/opencontainers/distribution-spec/ * Email us at security@opencontainers.org

3.4.4-1
Affected by 0 other vulnerabilities.

VCID-mzjw-b6mh-nugs
Aliases:
CVE-2021-4024
GHSA-3cf2-x423-x582

Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation Error in podman A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.

3.4.4-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T18:26:28.467468+00:00	Arch Linux Importer	Affected by	VCID-mzjw-b6mh-nugs	https://security.archlinux.org/AVG-2591	38.0.0
2026-04-01T18:26:28.439190+00:00	Arch Linux Importer	Affected by	VCID-e4bk-d465-juhk	https://security.archlinux.org/AVG-2591	38.0.0

2026-04-01T18:26:28.467468+00:00

Arch Linux Importer

Affected by

VCID-mzjw-b6mh-nugs

https://security.archlinux.org/AVG-2591

38.0.0

2026-04-01T18:26:28.439190+00:00

Arch Linux Importer

Affected by

VCID-e4bk-d465-juhk

https://security.archlinux.org/AVG-2591

38.0.0

Next non-vulnerable version	3.4.4-1
Latest non-vulnerable version	3.4.4-1
Risk	3.1