CVE-2019-10214 – containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure

https://notcve.org/view.php?id=CVE-2019-10214

The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens. La biblioteca de containers/image utilizada por las herramientas de contenedores Podman, Buildah y Skopeo en Red Hat Enterprise Linux versión 8 y CRI-O en OpenShift Container Platform, no aplica conexiones TLS al servicio de autorización de registro de contenedores. Un atacante podría utilizar esta vulnerabilidad para iniciar un ataque de tipo MiTM y robar credenciales de inicio de sesión o tokens de portador. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214 https://access.redhat.com/security/cve/CVE-2019-10214 https://bugzilla.redhat.com/show_bug.cgi?id=1732508 • CWE-522: Insufficiently Protected Credentials •