CVE-2019-10214

containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.

La biblioteca de containers/image utilizada por las herramientas de contenedores Podman, Buildah y Skopeo en Red Hat Enterprise Linux versión 8 y CRI-O en OpenShift Container Platform, no aplica conexiones TLS al servicio de autorización de registro de contenedores. Un atacante podría utilizar esta vulnerabilidad para iniciar un ataque de tipo MiTM y robar credenciales de inicio de sesión o tokens de portador.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-03-27 CVE Reserved
2019-09-24 CVE Published
2024-08-04 CVE Updated
2024-11-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-522: Insufficiently Protected Credentials

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214	2021-10-28

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00035.html	2021-10-28
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html	2021-10-28
https://access.redhat.com/security/cve/CVE-2019-10214	2019-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=1732508	2019-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Buildah Project Search vendor "Buildah Project"		Buildah Search vendor "Buildah Project" for product "Buildah"				-		-		Affected
Libpod Project Search vendor "Libpod Project"		Libpod Search vendor "Libpod Project" for product "Libpod"				-		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				4.1 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.1"		-		Affected
Skopeo Project Search vendor "Skopeo Project"		Skopeo Search vendor "Skopeo Project" for product "Skopeo"				-		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected