cve-2020-15157
Vulnerability from cvelistv5
Published
2020-10-16 16:45
Modified
2024-08-04 13:08
Summary
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:08:22.310Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/releases/tag/v1.2.14"
          },
          {
            "name": "USN-4589-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4589-1/"
          },
          {
            "name": "USN-4589-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4589-2/"
          },
          {
            "name": "DSA-4865",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4865"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "containerd",
          "vendor": "containerd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a \u201cforeign layer\u201d), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user\u0027s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522 Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-28T11:06:37",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/containerd/containerd/releases/tag/v1.2.14"
        },
        {
          "name": "USN-4589-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4589-1/"
        },
        {
          "name": "USN-4589-2",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4589-2/"
        },
        {
          "name": "DSA-4865",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4865"
        }
      ],
      "source": {
        "advisory": "GHSA-742w-89gc-8m9c",
        "discovery": "UNKNOWN"
      },
      "title": "containerd can be coerced into leaking credentials during image pull",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15157",
          "STATE": "PUBLIC",
          "TITLE": "containerd can be coerced into leaking credentials during image pull"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "containerd",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.2.14"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "containerd"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a \u201cforeign layer\u201d), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user\u0027s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-522 Insufficiently Protected Credentials"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c",
              "refsource": "CONFIRM",
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.2.14",
              "refsource": "MISC",
              "url": "https://github.com/containerd/containerd/releases/tag/v1.2.14"
            },
            {
              "name": "USN-4589-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4589-1/"
            },
            {
              "name": "USN-4589-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4589-2/"
            },
            {
              "name": "DSA-4865",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4865"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-742w-89gc-8m9c",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-15157",
    "datePublished": "2020-10-16T16:45:18",
    "dateReserved": "2020-06-25T00:00:00",
    "dateUpdated": "2024-08-04T13:08:22.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-15157\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-10-16T17:15:11.870\",\"lastModified\":\"2024-11-21T05:04:57.953\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a \u201cforeign layer\u201d), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user\u0027s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.\"},{\"lang\":\"es\",\"value\":\"En containerd (un tiempo de ejecuci\u00f3n de contenedor est\u00e1ndar de la industria) anterior a la versi\u00f3n 1.2.14, Se presenta una vulnerabilidad de filtrado de credenciales.\u0026#xa0;Si un manifiesto de imagen de contenedor en el formato OCI Image o el formato Docker Image V2 Schema 2 incluye una URL para la ubicaci\u00f3n de una capa de imagen espec\u00edfica (tambi\u00e9n se conoce como \u201cforeign layer\u201d), el solucionador de containerd predeterminado seguir\u00e1 esa URL para intentar descargarla.\u0026#xa0;En la versi\u00f3n v1.2.x pero no en 1.3.0 o posterior, el solucionador de containerd predeterminado proporcionar\u00e1 sus credenciales de autenticaci\u00f3n si el servidor donde se encuentra la URL presenta un c\u00f3digo de estado HTTP 401 junto con encabezados HTTP espec\u00edficos del registro.\u0026#xa0;Si un atacante publica una imagen p\u00fablica con un manifiesto que indica que una de las capas se extraiga de un servidor web que controlan y enga\u00f1a a un usuario o sistema para que extraiga la imagen,\u0026#xa0;pueden obtener las credenciales usadas para extraer esa imagen.\u0026#xa0;En algunos casos, puede ser el nombre de usuario y la contrase\u00f1a del usuario para el registro.\u0026#xa0;En otros casos, estas pueden ser las credenciales adjuntas a la instancia virtual en nube que pueden otorgar acceso a otros recursos en nube en la cuenta.\u0026#xa0;El solucionador de containerd predeterminado es usado por el plugin cri-containerd (que puede ser usado por Kubernetes), la herramienta de desarrollo ctr y otros programas cliente que se han vinculado expl\u00edcitamente con \u00e9l.\u0026#xa0;Esta vulnerabilidad ha sido corregida en containerd versi\u00f3n 1.2.14.\u0026#xa0;containerd versi\u00f3n 1.3 y posteriores no est\u00e1n afectados.\u0026#xa0;Si est\u00e1 utilizando containerd versi\u00f3n 1.3 o posterior, no estar\u00e1 afectado.\u0026#xa0;Si est\u00e1 utilizando cri-containerd en la serie 1.2 o anterior, debe asegurarse de obtener solo im\u00e1genes de fuentes confiables. Otros tiempos de ejecuci\u00f3n de contenedores construidos por encima de containerd pero que no usan el solucionador predeterminado (tal y como Docker) no est\u00e1n afectados\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":4.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:N/A:N\",\"baseScore\":2.6,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":4.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.2.0\",\"versionEndExcluding\":\"1.2.14\",\"matchCriteriaId\":\"0C304363-533E-4DA0-9F40-93E6D86E59CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:1.3.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"456DE836-AA57-4EFD-A86C-605C7E3F2458\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta0:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF7FDBEC-0537-4A66-849D-C713643D2AE0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F0B14069-915C-4CA6-BF0C-EC9E8182376F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"CCD383CB-954C-42D3-B1A6-7116BA2CA022\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc0:*:*:*:*:*:*\",\"matchCriteriaId\":\"E34C93C2-DCBD-4F8A-AE8D-4EDF49CE2BAC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"541DDD1F-302B-41C7-A4EC-362E3AEDEDDF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"023E3733-2DF7-4272-A373-65FE6F1C123D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"BBF42CAF-4E8D-46ED-9C14-1EFA57721A72\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"902B8056-9E37-443B-8905-8AA93E2447FB\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://github.com/containerd/containerd/releases/tag/v1.2.14\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4589-1/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4589-2/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4865\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/containerd/containerd/releases/tag/v1.2.14\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4589-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4589-2/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4865\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.