CVE-2019-10214 — Insufficiently Protected Credentials in Containers Image
Severity
5.9MEDIUMNVD
EPSS
0.5%
top 35.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 25
Latest updateFeb 15
Description
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6
Affected Packages3 packages
Also affects: Openshift Container Platform 4.1, Enterprise Linux 8.0
Patches
🔴Vulnerability Details
5OSV▶
CVE-2019-10214: The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Cont↗2019-11-25
CVEList▶
CVE-2019-10214: The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Cont↗2019-11-25
📋Vendor Advisories
2💬Community
1Bugzilla▶
CVE-2019-10214 containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure↗2019-07-23