search

vipinsun / fabric

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. Its modular and versatile design satisfies a broad range of industry use cases. It offers a unique approach to consensus that enables performance at scale while preserving privacy.
https://wiki.hyperledger.org/display/fabric
Apache License 2.0
0 stars 0 forks source link

CVE-2021-21334 (Medium) detected in github.com/containerd/containerd-v1.4.1 - autoclosed #31

Closed mend-bolt-for-github[bot] closed 2 years ago

mend-bolt-for-github[bot] commented 3 years ago

CVE-2021-21334 - Medium Severity Vulnerability

Vulnerable Library - github.com/containerd/containerd-v1.4.1

An open and reliable container runtime

Dependency Hierarchy: - github.com/fsouza/go-dockerclient-v1.7.0 (Root Library) - github.com/docker/docker-v17.03.2-ce - :x: **github.com/containerd/containerd-v1.4.1** (Vulnerable Library)

Found in HEAD commit: ddd974009afe8d2f73f37b444e34d7b8084c235a

Found in base branch: master

Vulnerability Details

In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.

Publish Date: 2021-03-10

URL: CVE-2021-21334

CVSS 3 Score Details (6.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4

Release Date: 2021-03-10

Fix Resolution: v1.3.10,v1.4.4

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.