CVE-2021-20291

Aliases:GHSA-7qw8-847f-pggmGO-2021-0100

Advisory lineage Upstream: 0 Downstream: 13

Downstream

DEBIAN-CVE-2021-20291 MGASA-2023-0213 OPENSUSE-SU-2022:23018-1 OPENSUSE-SU-2024:11757-1 RHBA-2022:0348 RHSA-2021:1150

Modified

Published: 01 Apr 2021, 17:49

Last modified:03 Aug 2024, 17:37

Vulnerability Summary

Overall Risk (default)

medium

39/100

CVSS Score

7.1 HIGH

v2.0 (nvd)

EPSS Score

1.03% LOW

1% probability +0.15%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

01 Apr 2021, 17:49

Published

Vulnerability first disclosed

03 Aug 2024, 17:37

Last Modified

Vulnerability information updated

Description

A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).

CVSS Metrics

v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
v2.0•HIGH•Score: 7.1AV:N/AC:M/Au:N/C:N/I:N/A:C

EPSS Trends

Current EPSS score: 1.03%• Percentile: 78%

Techniques & Countermeasures

CWE-667•Improper Locking
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Affected Systems

fedoraproject•fedora
33 | 34
github.com/containers•storage
< 1.28.1
redhat•enterprise_linux
8.0
redhat•openshift_container_platform
4.0
storage_project•storage
< 1.28.1