GoogleOSV:GHSA-85P9-J7C9-V4GRcontainers/image library Insufficiently Protects Credentials
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.9%
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/containers/image | lt | 3.0.0 |
References
lists.opensuse.org/opensuse-security-announce/2020-03/msg00035.html
lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
bugzilla.redhat.com/show_bug.cgi?id=1732508
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214
github.com/containers/image
github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf
github.com/containers/image/issues/654
github.com/containers/image/pull/655
github.com/containers/image/pull/669
nvd.nist.gov/vuln/detail/CVE-2019-10214
pkg.go.dev/vuln/GO-2021-0081
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.9%