Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in github.com/containers/podman: CVE-2021-4024 #281

Closed
GoVulnBot opened this issue Feb 4, 2022 · 2 comments
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In CVE-2021-4024, the reference URL github.com/containers/podman (and possibly others) refers to something in Go.

module: github.com/containers/podman
package: podman
description: |
    A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.
cves:
  - CVE-2021-4024
links:
    context:
      - https://bugzilla.redhat.com/show_bug.cgi?id=2026675,
      - https://github.com/containers/podman/releases/tag/v3.4.3

See doc/triage.md for instructions on how to triage this report.

@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 11, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592766 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607215 mentions this issue: data/reports: unexclude 20 reports (13)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
  - data/reports/GO-2022-0231.yaml
  - data/reports/GO-2022-0249.yaml
  - data/reports/GO-2022-0250.yaml
  - data/reports/GO-2022-0260.yaml
  - data/reports/GO-2022-0261.yaml
  - data/reports/GO-2022-0270.yaml
  - data/reports/GO-2022-0278.yaml
  - data/reports/GO-2022-0281.yaml
  - data/reports/GO-2022-0291.yaml
  - data/reports/GO-2022-0295.yaml
  - data/reports/GO-2022-0298.yaml
  - data/reports/GO-2022-0302.yaml
  - data/reports/GO-2022-0303.yaml
  - data/reports/GO-2022-0304.yaml
  - data/reports/GO-2022-0305.yaml
  - data/reports/GO-2022-0306.yaml
  - data/reports/GO-2022-0307.yaml
  - data/reports/GO-2022-0308.yaml
  - data/reports/GO-2022-0309.yaml
  - data/reports/GO-2022-0310.yaml

Updates #231
Updates #249
Updates #250
Updates #260
Updates #261
Updates #270
Updates #278
Updates #281
Updates #291
Updates #295
Updates #298
Updates #302
Updates #303
Updates #304
Updates #305
Updates #306
Updates #307
Updates #308
Updates #309
Updates #310

Change-Id: Idffc4951124598d58d8ebf3b1c44fc141f192639
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607215
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

4 participants