VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 23, 2021· Updated Aug 3, 2024

CVE-2021-4024

CVE-2021-4024

Description

A flaw was found in podman. The podman machine function (used to create and manage Podman virtual machine containing a Podman process) spawns a gvproxy process on the host system. The gvproxy API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the gvproxy API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Podman's `podman machine` command exposes the `gvproxy` API on all IP addresses (port 7777), allowing an attacker to forward host ports to the VM and potentially access private services.

Vulnerability

A flaw in Podman versions prior to 3.4.3 exposes the gvproxy API on all host IP addresses on TCP port 7777 when the podman machine command is used to create or manage a Podman virtual machine [2]. The gvproxy process, which handles port forwarding between the host and the VM, listens on 0.0.0.0:7777, making the API accessible on any network interface [1]. If the host's firewall allows inbound connections to port 7777, an attacker on the same network can interact with the API without authentication [2].

Exploitation

An attacker who can reach the host on TCP port 7777 (i.e., the port is not blocked by a firewall) can use the gvproxy API to forward arbitrary ports from the host to ports inside the Podman-managed VM [2]. The attacker does not require any prior authentication or special privileges on the host. By crafting API requests, they can map host services to the VM or vice versa, effectively bypassing network isolation [2].

Impact

Successful exploitation allows an attacker to make private services running inside the VM accessible to the external network, potentially leading to unauthorized access or data exposure [2]. Additionally, the attacker could forward all host ports to the VM, causing a denial of service by interrupting legitimate host services [2]. The impact is limited to the configuration managed by podman machine; the host and other containers may remain unaffected.

Mitigation

The vulnerability is fixed in Podman version 3.4.3, released on December 13, 2021 [3]. Users should upgrade to this version or later. If upgrading is not immediately possible, blocking inbound connections to TCP port 7777 on the host firewall can prevent exploitation from the network [2]. No workaround is available for systems where podman machine is in use and the fix cannot be applied. The CVE is not currently listed in the KEV catalog.

References
  1. GitHub - containers/podman: Podman: A tool for managing OCI containers and pods.
  2. NVD - CVE-2021-4024
  3. Release v3.4.3 · containers/podman

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/containers/podman/v3Go
< 3.4.33.4.3

Affected products

60

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.