VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-pt4c-1gws-aaar

Essentials
Severities (109)
References (20)
Severity details (13)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-pt4c-1gws-aaar
Aliases	CVE-2021-20206 GHSA-xjqr-g762-pxwp
Summary	An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-20	Improper Input Validation

System	Score	Found at
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:0799
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:1005
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:1007
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:1552
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:2438
rhas	Moderate	https://access.redhat.com/errata/RHSA-2021:3001
rhas	Moderate	https://access.redhat.com/errata/RHSA-2022:0492
rhas	Moderate	https://access.redhat.com/errata/RHSA-2022:1660
cvssv3	7.2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20206.json
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00123	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00169	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00169	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00169	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00169	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00173	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00174	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
epss	0.00562	https://api.first.org/data/v1/epss?cve=CVE-2021-20206
rhbs	medium	https://bugzilla.redhat.com/show_bug.cgi?id=1919391
cvssv3.1	7.2	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	7.2	https://github.com/containernetworking/cni
generic_textual	HIGH	https://github.com/containernetworking/cni
cvssv3.1	7.2	https://github.com/containernetworking/cni/pull/808
generic_textual	HIGH	https://github.com/containernetworking/cni/pull/808
cvssv2	6.5	https://nvd.nist.gov/vuln/detail/CVE-2021-20206
cvssv3	7.2	https://nvd.nist.gov/vuln/detail/CVE-2021-20206
cvssv3.1	7.2	https://nvd.nist.gov/vuln/detail/CVE-2021-20206
cvssv3.1	7.2	https://pkg.go.dev/vuln/GO-2022-0230
generic_textual	HIGH	https://pkg.go.dev/vuln/GO-2022-0230
cvssv3.1	7.2	https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549
generic_textual	HIGH	https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20206.json
		https://api.first.org/data/v1/epss?cve=CVE-2021-20206
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20206
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/containernetworking/cni
		https://github.com/containernetworking/cni/pull/808
		https://pkg.go.dev/vuln/GO-2022-0230
		https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549
1919391		https://bugzilla.redhat.com/show_bug.cgi?id=1919391
983659		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983659
cpe:2.3:a:linuxfoundation:container_network_interface::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:linuxfoundation:container_network_interface::::::::
CVE-2021-20206		https://nvd.nist.gov/vuln/detail/CVE-2021-20206
RHSA-2021:0799		https://access.redhat.com/errata/RHSA-2021:0799
RHSA-2021:1005		https://access.redhat.com/errata/RHSA-2021:1005
RHSA-2021:1007		https://access.redhat.com/errata/RHSA-2021:1007
RHSA-2021:1552		https://access.redhat.com/errata/RHSA-2021:1552
RHSA-2021:2438		https://access.redhat.com/errata/RHSA-2021:2438
RHSA-2021:3001		https://access.redhat.com/errata/RHSA-2021:3001
RHSA-2022:0492		https://access.redhat.com/errata/RHSA-2022:0492
RHSA-2022:1660		https://access.redhat.com/errata/RHSA-2022:1660

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20206.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/containernetworking/cni

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/containernetworking/cni/pull/808

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2021-20206

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-20206

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-20206

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://pkg.go.dev/vuln/GO-2022-0230

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Found at https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.47707
EPSS Score	0.00123
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.