fkie_cve-2020-15157
Vulnerability from fkie_nvd
Published
2020-10-16 17:15
Modified
2024-11-21 05:04
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
Summary
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.
References
security-advisories@github.comhttps://github.com/containerd/containerd/releases/tag/v1.2.14Third Party Advisory
security-advisories@github.comhttps://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9cThird Party Advisory
security-advisories@github.comhttps://usn.ubuntu.com/4589-1/Third Party Advisory
security-advisories@github.comhttps://usn.ubuntu.com/4589-2/Third Party Advisory
security-advisories@github.comhttps://www.debian.org/security/2021/dsa-4865Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/containerd/containerd/releases/tag/v1.2.14Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9cThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4589-1/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4589-2/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2021/dsa-4865Third Party Advisory
Impacted products
Vendor Product Version
linuxfoundation containerd *
linuxfoundation containerd 1.3.0
linuxfoundation containerd 1.3.0
linuxfoundation containerd 1.3.0
linuxfoundation containerd 1.3.0
linuxfoundation containerd 1.3.0
linuxfoundation containerd 1.3.0
linuxfoundation containerd 1.3.0
linuxfoundation containerd 1.3.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 20.04
debian debian_linux 10.0


To clipboard 

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0C304363-533E-4DA0-9F40-93E6D86E59CD",
                     versionEndExcluding: "1.2.14",
                     versionStartIncluding: "1.2.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:-:*:*:*:*:*:*",
                     matchCriteriaId: "456DE836-AA57-4EFD-A86C-605C7E3F2458",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta0:*:*:*:*:*:*",
                     matchCriteriaId: "BF7FDBEC-0537-4A66-849D-C713643D2AE0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta1:*:*:*:*:*:*",
                     matchCriteriaId: "F0B14069-915C-4CA6-BF0C-EC9E8182376F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta2:*:*:*:*:*:*",
                     matchCriteriaId: "CCD383CB-954C-42D3-B1A6-7116BA2CA022",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc0:*:*:*:*:*:*",
                     matchCriteriaId: "E34C93C2-DCBD-4F8A-AE8D-4EDF49CE2BAC",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "541DDD1F-302B-41C7-A4EC-362E3AEDEDDF",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "023E3733-2DF7-4272-A373-65FE6F1C123D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc3:*:*:*:*:*:*",
                     matchCriteriaId: "BBF42CAF-4E8D-46ED-9C14-1EFA57721A72",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
                     matchCriteriaId: "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
                     matchCriteriaId: "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
                     matchCriteriaId: "902B8056-9E37-443B-8905-8AA93E2447FB",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.",
      },
      {
         lang: "es",
         value: "En containerd (un tiempo de ejecución de contenedor estándar de la industria) anterior a la versión 1.2.14, Se presenta una vulnerabilidad de filtrado de credenciales. Si un manifiesto de imagen de contenedor en el formato OCI Image o el formato Docker Image V2 Schema 2 incluye una URL para la ubicación de una capa de imagen específica (también se conoce como “foreign layer”), el solucionador de containerd predeterminado seguirá esa URL para intentar descargarla. En la versión v1.2.x pero no en 1.3.0 o posterior, el solucionador de containerd predeterminado proporcionará sus credenciales de autenticación si el servidor donde se encuentra la URL presenta un código de estado HTTP 401 junto con encabezados HTTP específicos del registro. Si un atacante publica una imagen pública con un manifiesto que indica que una de las capas se extraiga de un servidor web que controlan y engaña a un usuario o sistema para que extraiga la imagen, pueden obtener las credenciales usadas para extraer esa imagen. En algunos casos, puede ser el nombre de usuario y la contraseña del usuario para el registro. En otros casos, estas pueden ser las credenciales adjuntas a la instancia virtual en nube que pueden otorgar acceso a otros recursos en nube en la cuenta. El solucionador de containerd predeterminado es usado por el plugin cri-containerd (que puede ser usado por Kubernetes), la herramienta de desarrollo ctr y otros programas cliente que se han vinculado explícitamente con él. Esta vulnerabilidad ha sido corregida en containerd versión 1.2.14. containerd versión 1.3 y posteriores no están afectados. Si está utilizando containerd versión 1.3 o posterior, no estará afectado. Si está utilizando cri-containerd en la serie 1.2 o anterior, debe asegurarse de obtener solo imágenes de fuentes confiables. Otros tiempos de ejecución de contenedores construidos por encima de containerd pero que no usan el solucionador predeterminado (tal y como Docker) no están afectados",
      },
   ],
   id: "CVE-2020-15157",
   lastModified: "2024-11-21T05:04:57.953",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "LOW",
            cvssData: {
               accessComplexity: "HIGH",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 2.6,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 4.9,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.6,
            impactScore: 4,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.1,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.6,
            impactScore: 4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-10-16T17:15:11.870",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/containerd/containerd/releases/tag/v1.2.14",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://usn.ubuntu.com/4589-1/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://usn.ubuntu.com/4589-2/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.debian.org/security/2021/dsa-4865",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/containerd/containerd/releases/tag/v1.2.14",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://usn.ubuntu.com/4589-1/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://usn.ubuntu.com/4589-2/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.debian.org/security/2021/dsa-4865",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-522",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-522",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.