CVE-2020-15157
containerd can be coerced into leaking credentials during image pull
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.
En containerd (un tiempo de ejecución de contenedor estándar de la industria) anterior a la versión 1.2.14, Se presenta una vulnerabilidad de filtrado de credenciales. Si un manifiesto de imagen de contenedor en el formato OCI Image o el formato Docker Image V2 Schema 2 incluye una URL para la ubicación de una capa de imagen específica (también se conoce como “foreign layer”), el solucionador de containerd predeterminado seguirá esa URL para intentar descargarla. En la versión v1.2.x pero no en 1.3.0 o posterior, el solucionador de containerd predeterminado proporcionará sus credenciales de autenticación si el servidor donde se encuentra la URL presenta un código de estado HTTP 401 junto con encabezados HTTP específicos del registro. Si un atacante publica una imagen pública con un manifiesto que indica que una de las capas se extraiga de un servidor web que controlan y engaña a un usuario o sistema para que extraiga la imagen, pueden obtener las credenciales usadas para extraer esa imagen. En algunos casos, puede ser el nombre de usuario y la contraseña del usuario para el registro. En otros casos, estas pueden ser las credenciales adjuntas a la instancia virtual en nube que pueden otorgar acceso a otros recursos en nube en la cuenta. El solucionador de containerd predeterminado es usado por el plugin cri-containerd (que puede ser usado por Kubernetes), la herramienta de desarrollo ctr y otros programas cliente que se han vinculado explícitamente con él. Esta vulnerabilidad ha sido corregida en containerd versión 1.2.14. containerd versión 1.3 y posteriores no están afectados. Si está utilizando containerd versión 1.3 o posterior, no estará afectado. Si está utilizando cri-containerd en la serie 1.2 o anterior, debe asegurarse de obtener solo imágenes de fuentes confiables. Otros tiempos de ejecución de contenedores construidos por encima de containerd pero que no usan el solucionador predeterminado (tal y como Docker) no están afectados
A flaw was found in containerd. Credentials may be leaked during an image pull.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-10-16 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-20 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/containerd/containerd/releases/tag/v1.2.14 | Third Party Advisory | |
| https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://usn.ubuntu.com/4589-1 | 2021-11-18 | |
| https://usn.ubuntu.com/4589-2 | 2021-11-18 | |
| https://www.debian.org/security/2021/dsa-4865 | 2021-11-18 | |
| https://access.redhat.com/security/cve/CVE-2020-15157 | 2021-02-24 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1888248 | 2021-02-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | >= 1.2.0 < 1.2.14 Search vendor "Linuxfoundation" for product "Containerd" and version " >= 1.2.0 < 1.2.14" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.3.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.3.0" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.3.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.3.0" | beta0 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.3.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.3.0" | beta1 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.3.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.3.0" | beta2 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.3.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.3.0" | rc0 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.3.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.3.0" | rc1 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.3.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.3.0" | rc2 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.3.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.3.0" | rc3 |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 20.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "20.04" | lts |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||