Information Disclosure

2020-10-1801:59:36

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

JSON

containerd is vulnerable to information disclosure. The containerd resolver sends the authentication credentials when it follows a URL to attempt to download a specific image layer. An attacker is able to exploit this behavior to obtain the authentication credentials by publishing a public image with a manifest that redirects the layers to a third-party address.

CPENameOperatorVersion
docker.io:develeq19.03.11-0ubuntu3
docker.io:develeq19.03.11-0ubuntu2
docker.io:bioniceq18.09.7-0ubuntu1~18.04.4
docker.io:bioniceq19.03.6-0ubuntu1~18.04.1
docker.io:bioniceq17.12.1-0ubuntu1
containerd:xenialeq1.2.6-0ubuntu1~16.04.3
docker.io:focaleq19.03.8-0ubuntu1.20.04
docker.io:focaleq19.03.8-0ubuntu1
docker.io:xenialeq18.09.7-0ubuntu1~16.04.5
docker.io:xenialeq1.10.3-0ubuntu6

Name	Operator	Version
docker.io:devel	eq	19.03.11-0ubuntu3
docker.io:devel	eq	19.03.11-0ubuntu2
docker.io:bionic	eq	18.09.7-0ubuntu1~18.04.4
docker.io:bionic	eq	19.03.6-0ubuntu1~18.04.1
docker.io:bionic	eq	17.12.1-0ubuntu1
containerd:xenial	eq	1.2.6-0ubuntu1~16.04.3
docker.io:focal	eq	19.03.8-0ubuntu1.20.04
docker.io:focal	eq	19.03.8-0ubuntu1
docker.io:xenial	eq	18.09.7-0ubuntu1~16.04.5
docker.io:xenial	eq	1.10.3-0ubuntu6