Search for packages
| purl | pkg:deb/debian/libpod@3.0.1%2Bdfsg1-3%2Bdeb11u5?distro=bullseye |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-24f4-v4pk-g7bh | Podman's default inheritable capabilities for linux container not empty A bug was found in Podman where containers were created with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. |
CVE-2022-27649
GHSA-qvf8-p83w-v58j |
| VCID-3zm9-mtqp-5qdt | Podman Path Traversal Vulnerability leads to arbitrary file read/write A path traversal vulnerability has been discovered in podman before version 1.4.0 in the way it handles symlinks inside containers. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container. |
CVE-2019-10152
GHSA-rh5f-2w6r-q7vj |
| VCID-75hs-t8bs-23e9 | Podman Symlink Vulnerability An issue was discovered in Podman in libpod before 1.6.0. It resolves a symlink in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host. |
CVE-2019-18466
GHSA-r34v-gqmw-qvgj |
| VCID-83z3-5q22-wycr | Podman Origin Validation Error Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman versions from 1.8.0 to 3.0.0. |
CVE-2021-20199
GHSA-grh6-q6m2-rh72 |
| VCID-artb-94uw-33c5 | Podman Elevated Container Privileges It has been discovered that podman before version 0.6.1 does not drop capabilities when executing a container as a non-root user. This results in unnecessary privileges being granted to the container. |
CVE-2018-10856
GHSA-wp7w-vx86-vj9h |
| VCID-ckg3-5czq-t7ek | Information disclosure in podman An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables. |
CVE-2020-14370
GHSA-c3wv-qmjj-45r6 |
| VCID-d9r8-53zf-vqbr | Podman has Files or Directories Accessible to External Parties A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume. This issue was introduced in version 1.6.0. |
CVE-2020-1726
GHSA-vmhj-p9hw-vgrf |
| VCID-gzfd-vguv-dqa1 | Podman Time-of-check Time-of-use (TOCTOU) Race Condition A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system. |
CVE-2023-0778
GHSA-qwqv-rqgf-8qh8 |
| VCID-mzjw-b6mh-nugs | Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation Error in podman A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM. |
CVE-2021-4024
GHSA-3cf2-x423-x582 |
| VCID-pgjv-k7e2-9qde | Improper Authorization in github.com/containers/libpod A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of security features are disabled when running the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
CVE-2021-20188
GHSA-9h63-7qf6-mv6r |
| VCID-tgmf-r176-juce | Podman publishes a malicious image to public registries Podman is a tool for managing OCI containers and pods. A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service. |
CVE-2022-1227
GHSA-66vw-v2x9-hw75 |
| VCID-ttsj-3bd1-tfhu | Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. |
CVE-2022-2989
GHSA-4wjj-jwc9-2x96 |
| VCID-tuub-p4f4-nqer | Podman Improper Certificate Validation; machine missing TLS verification ### Impact The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry (which it does by default since 5.0.0) allowing a possible Man In The Middle attack. ### Patches https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3 Fixed in v5.5.2 ### Workarounds Download the disk image manually via some other tool that verifies the TLS connection. Then pass the local image as file path (podman machine init --image ./somepath) |
CVE-2025-6032
GHSA-65gg-3w2w-hr4h |
| VCID-zudh-x32u-83by | podman: Privilege escalation in API component |
CVE-2019-25067
|