VulnerableCode Package Details - pkg:alpm/archlinux/podman@3.4.2-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-314j-bs3k-aaae Aliases: CVE-2021-4024 GHSA-3cf2-x423-x582	A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.	3.4.4-1 Affected by 0 other vulnerabilities.
VCID-vsk2-k3mh-aaah Aliases: CVE-2021-41190 GHSA-mc8v-mgrf-8f4m	The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.	3.4.4-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-314j-bs3k-aaae
Aliases:
CVE-2021-4024
GHSA-3cf2-x423-x582

A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.

3.4.4-1
Affected by 0 other vulnerabilities.

VCID-vsk2-k3mh-aaah
Aliases:
CVE-2021-41190
GHSA-mc8v-mgrf-8f4m

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.

3.4.4-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:46:24.110088+00:00	Arch Linux Importer	Affected by	VCID-314j-bs3k-aaae	https://security.archlinux.org/AVG-2591	36.0.0
2025-03-28T07:46:24.091155+00:00	Arch Linux Importer	Affected by	VCID-vsk2-k3mh-aaah	https://security.archlinux.org/AVG-2591	36.0.0
2024-09-18T02:01:39.129911+00:00	Arch Linux Importer	Affected by	VCID-314j-bs3k-aaae	https://security.archlinux.org/AVG-2591	34.0.1
2024-09-18T02:01:39.108803+00:00	Arch Linux Importer	Affected by	VCID-vsk2-k3mh-aaah	https://security.archlinux.org/AVG-2591	34.0.1
2024-01-03T22:27:45.674836+00:00	Arch Linux Importer	Affected by	VCID-314j-bs3k-aaae	https://security.archlinux.org/AVG-2591	34.0.0rc1
2024-01-03T22:27:45.653000+00:00	Arch Linux Importer	Affected by	VCID-vsk2-k3mh-aaah	https://security.archlinux.org/AVG-2591	34.0.0rc1