rpm package
almalinux/podman-tests
pkg:rpm/almalinux/podman-tests
Vulnerabilities (105)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-30629 | — | < 2:4.4.1-3.el9 | 2:4.4.1-3.el9 | Aug 9, 2022 | Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. | ||
| CVE-2022-30630 | — | < 3.0.1-13.module_el8.7.0+3297+1eb250cf | 3.0.1-13.module_el8.7.0+3297+1eb250cf | Aug 9, 2022 | Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. | ||
| CVE-2022-1705 | — | < 3.0.1-13.module_el8.7.0+3297+1eb250cf | 3.0.1-13.module_el8.7.0+3297+1eb250cf | Aug 9, 2022 | Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. | ||
| CVE-2022-30631 | — | < 3.0.1-13.module_el8.7.0+3297+1eb250cf | 3.0.1-13.module_el8.7.0+3297+1eb250cf | Aug 9, 2022 | Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. | ||
| CVE-2022-30633 | — | < 3.0.1-13.module_el8.7.0+3297+1eb250cf | 3.0.1-13.module_el8.7.0+3297+1eb250cf | Aug 9, 2022 | Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag. | ||
| CVE-2022-30635 | — | < 3:4.4.1-8.module_el8.8.0+3568+e8578284 | 3:4.4.1-8.module_el8.8.0+3568+e8578284 | Aug 9, 2022 | Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. | ||
| CVE-2022-30632 | — | < 3.0.1-13.module_el8.7.0+3297+1eb250cf | 3.0.1-13.module_el8.7.0+3297+1eb250cf | Aug 9, 2022 | Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. | ||
| CVE-2022-28131 | — | < 3.0.1-13.module_el8.7.0+3297+1eb250cf | 3.0.1-13.module_el8.7.0+3297+1eb250cf | Aug 9, 2022 | Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. | ||
| CVE-2022-1708 | — | < 2:4.0.2-8.module_el8.7.0+3344+5bcd850f | 2:4.0.2-8.module_el8.7.0+3344+5bcd850f | Jun 7, 2022 | A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and | ||
| CVE-2022-29162 | — | < 2:4.0.2-8.module_el8.7.0+3344+5bcd850f | 2:4.0.2-8.module_el8.7.0+3344+5bcd850f | May 17, 2022 | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environme | ||
| CVE-2022-1227 | — | < 2:4.0.2-6.module_el8.6.0+2878+e681bc44 | 2:4.0.2-6.module_el8.6.0+2878+e681bc44 | Apr 29, 2022 | A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the a | ||
| CVE-2022-27650 | — | < 2:4.0.2-6.module_el8.6.0+2878+e681bc44 | 2:4.0.2-6.module_el8.6.0+2878+e681bc44 | Apr 4, 2022 | A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker w | ||
| CVE-2022-27651 | — | < 3.0.1-8.module_el8.6.0+2876+9ed4eae2 | 3.0.1-8.module_el8.6.0+2876+9ed4eae2 | Apr 4, 2022 | A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to p | ||
| CVE-2022-27649 | — | < 3.0.1-8.module_el8.6.0+2876+9ed4eae2 | 3.0.1-8.module_el8.6.0+2876+9ed4eae2 | Apr 4, 2022 | A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attack | ||
| CVE-2022-27191 | — | < 2:4.0.2-8.module_el8.7.0+3344+5bcd850f | 2:4.0.2-8.module_el8.7.0+3344+5bcd850f | Mar 18, 2022 | The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. | ||
| CVE-2022-21698 | — | < 2:4.0.2-6.module_el8.6.0+2878+e681bc44 | 2:4.0.2-6.module_el8.6.0+2878+e681bc44 | Feb 15, 2022 | client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde | ||
| CVE-2021-4024 | — | < 2:4.2.0-3.el9 | 2:4.2.0-3.el9 | Dec 23, 2021 | A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is op | ||
| CVE-2021-33198 | — | < 4:4.9.4-18.module_el8.10.0+3926+f12484f5 | 4:4.9.4-18.module_el8.10.0+3926+f12484f5 | Aug 2, 2021 | In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. | ||
| CVE-2021-33197 | — | < 2:4.2.0-3.el9 | 2:4.2.0-3.el9 | Aug 2, 2021 | In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. | ||
| CVE-2021-34558 | — | < 2:4.2.0-3.el9 | 2:4.2.0-3.el9 | Jul 15, 2021 | The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. |
- CVE-2022-30629Aug 9, 2022affected < 2:4.4.1-3.el9fixed 2:4.4.1-3.el9
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
- CVE-2022-30630Aug 9, 2022affected < 3.0.1-13.module_el8.7.0+3297+1eb250cffixed 3.0.1-13.module_el8.7.0+3297+1eb250cf
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
- CVE-2022-1705Aug 9, 2022affected < 3.0.1-13.module_el8.7.0+3297+1eb250cffixed 3.0.1-13.module_el8.7.0+3297+1eb250cf
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
- CVE-2022-30631Aug 9, 2022affected < 3.0.1-13.module_el8.7.0+3297+1eb250cffixed 3.0.1-13.module_el8.7.0+3297+1eb250cf
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
- CVE-2022-30633Aug 9, 2022affected < 3.0.1-13.module_el8.7.0+3297+1eb250cffixed 3.0.1-13.module_el8.7.0+3297+1eb250cf
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
- CVE-2022-30635Aug 9, 2022affected < 3:4.4.1-8.module_el8.8.0+3568+e8578284fixed 3:4.4.1-8.module_el8.8.0+3568+e8578284
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
- CVE-2022-30632Aug 9, 2022affected < 3.0.1-13.module_el8.7.0+3297+1eb250cffixed 3.0.1-13.module_el8.7.0+3297+1eb250cf
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
- CVE-2022-28131Aug 9, 2022affected < 3.0.1-13.module_el8.7.0+3297+1eb250cffixed 3.0.1-13.module_el8.7.0+3297+1eb250cf
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
- CVE-2022-1708Jun 7, 2022affected < 2:4.0.2-8.module_el8.7.0+3344+5bcd850ffixed 2:4.0.2-8.module_el8.7.0+3344+5bcd850f
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and
- CVE-2022-29162May 17, 2022affected < 2:4.0.2-8.module_el8.7.0+3344+5bcd850ffixed 2:4.0.2-8.module_el8.7.0+3344+5bcd850f
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environme
- CVE-2022-1227Apr 29, 2022affected < 2:4.0.2-6.module_el8.6.0+2878+e681bc44fixed 2:4.0.2-6.module_el8.6.0+2878+e681bc44
A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the a
- CVE-2022-27650Apr 4, 2022affected < 2:4.0.2-6.module_el8.6.0+2878+e681bc44fixed 2:4.0.2-6.module_el8.6.0+2878+e681bc44
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker w
- CVE-2022-27651Apr 4, 2022affected < 3.0.1-8.module_el8.6.0+2876+9ed4eae2fixed 3.0.1-8.module_el8.6.0+2876+9ed4eae2
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to p
- CVE-2022-27649Apr 4, 2022affected < 3.0.1-8.module_el8.6.0+2876+9ed4eae2fixed 3.0.1-8.module_el8.6.0+2876+9ed4eae2
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attack
- CVE-2022-27191Mar 18, 2022affected < 2:4.0.2-8.module_el8.7.0+3344+5bcd850ffixed 2:4.0.2-8.module_el8.7.0+3344+5bcd850f
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
- CVE-2022-21698Feb 15, 2022affected < 2:4.0.2-6.module_el8.6.0+2878+e681bc44fixed 2:4.0.2-6.module_el8.6.0+2878+e681bc44
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde
- CVE-2021-4024Dec 23, 2021affected < 2:4.2.0-3.el9fixed 2:4.2.0-3.el9
A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is op
- CVE-2021-33198Aug 2, 2021affected < 4:4.9.4-18.module_el8.10.0+3926+f12484f5fixed 4:4.9.4-18.module_el8.10.0+3926+f12484f5
In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
- CVE-2021-33197Aug 2, 2021affected < 2:4.2.0-3.el9fixed 2:4.2.0-3.el9
In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
- CVE-2021-34558Jul 15, 2021affected < 2:4.2.0-3.el9fixed 2:4.2.0-3.el9
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
Page 5 of 6