Home > Vulnerability Database > CVE-2021-21334

Mend.io Vulnerability Database

CVE-2021-21334

Good to know:

Date: March 10, 2021

In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.

Language: Go

Severity Score

6.3

Related Resources (13)

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/

Url: https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-21334

Url: https://security.alpinelinux.org/vuln/CVE-2021-21334

Url: https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4

Url: https://github.com/containerd/containerd/releases/tag/v1.3.10

Url: https://security-tracker.debian.org/tracker/CVE-2021-21334

Url: https://security.gentoo.org/glsa/202105-33

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-21334

Url: https://github.com/containerd/containerd/releases/tag/v1.4.4

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT/

Url: https://www.mend.io/vulnerability-database/CVE-2021-21334

Severity Score

6.3

Weakness Type (CWE)

Exposure of Resource to Wrong Sphere

CWE-668

Top Fix

Upgrade Version

Upgrade to version v1.3.10,v1.4.4

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-21334

Good to know:

Date: March 10, 2021

Language: Go

Severity Score

Related Resources (13)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?