CVE-2020-15157
published 2020-10-16CVE-2020-15157: In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the…
PriorityP336medium6.1CVSS 3.1
AVNACHPRNUIRSCCHINAN
EPSS
2.21%
80.4th percentile
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| containerd | containerd | < 1.2.14 | 1.2.14 |
| containerd | containerd | >= 0 < 1.3.2~ds1-2 | 1.3.2~ds1-2 |
| containerd | containerd | >= 0 < 1.3.2~ds1-2 | 1.3.2~ds1-2 |
| containerd | containerd | >= 0 < 1.3.2~ds1-2 | 1.3.2~ds1-2 |
| containerd | containerd | >= 0 < 1.3.2~ds1-2 | 1.3.2~ds1-2 |
| debian | containerd | < containerd 1.3.2~ds1-2 (bookworm) | containerd 1.3.2~ds1-2 (bookworm) |
| debian | debian_linux | — | — |
| debian | docker.io | < containerd 1.3.2~ds1-2 (bookworm) | containerd 1.3.2~ds1-2 (bookworm) |
| github.com | containerd_containerd | >= 0 < 1.2.14 | 1.2.14 |
| github.com | distribution_distribution | 0 – 2.8.3 | — |
| github.com | distribution_distribution_v3 | >= 0 < 3.1.0 | 3.1.0 |
| linuxfoundation | containerd | — | — |
| linuxfoundation | containerd | >= 1.2.0 < 1.2.14 | 1.2.14 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm
osv·2026-04-06·CVSS 6.1
CVE-2026-33540 [MEDIUM] Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm
hi guys,
commit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 (as-of 2026-01-31)
contact: GitHub Security Advisory (https://github.com/distribution/distribution/security/advisories/new)
## summary
in pull-through cache mode, distribution discovers token auth endpoints by parsing `WWW-Authenticate` challenges returned by the configured upstream registry. the `realm` URL from a bearer challenge is used without validating that it matches the upstream registry host. as a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled `realm` URL.
this is the
GHSA
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm
ghsa·2026-04-06·CVSS 6.1
CVE-2026-33540 [MEDIUM] CWE-918 Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm
hi guys,
commit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 (as-of 2026-01-31)
contact: GitHub Security Advisory (https://github.com/distribution/distribution/security/advisories/new)
## summary
in pull-through cache mode, distribution discovers token auth endpoints by parsing `WWW-Authenticate` challenges returned by the configured upstream registry. the `realm` URL from a bearer challenge is used without validating that it matches the upstream registry host. as a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled `realm` URL.
this is the
OSV
containerd v1.2.x can be coerced into leaking credentials during image pull in github.com/containerd/containerd
osv·2024-08-21
CVE-2020-15157 containerd v1.2.x can be coerced into leaking credentials during image pull in github.com/containerd/containerd
containerd v1.2.x can be coerced into leaking credentials during image pull in github.com/containerd/containerd
containerd v1.2.x can be coerced into leaking credentials during image pull in github.com/containerd/containerd
GHSA
containerd v1.2.x can be coerced into leaking credentials during image pull
ghsa·2022-02-11
CVE-2020-15157 [MEDIUM] CWE-522 containerd v1.2.x can be coerced into leaking credentials during image pull
containerd v1.2.x can be coerced into leaking credentials during image pull
## Impact
If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers.
If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials
OSV
containerd v1.2.x can be coerced into leaking credentials during image pull
osv·2022-02-11
CVE-2020-15157 [MEDIUM] containerd v1.2.x can be coerced into leaking credentials during image pull
containerd v1.2.x can be coerced into leaking credentials during image pull
## Impact
If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers.
If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials
OSV
CVE-2020-15157: In containerd (an industry-standard container runtime) before version 1
osv·2020-10-16·CVSS 6.1
CVE-2020-15157 [MEDIUM] CVE-2020-15157: In containerd (an industry-standard container runtime) before version 1
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image
Red Hat
containerd: credentials leak during image pull
vendor_redhat·2020-10-15·CVSS 6.1
CVE-2020-15157 [MEDIUM] CWE-200 containerd: credentials leak during image pull
containerd: credentials leak during image pull
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and th
Ubuntu
containerd vulnerability
vendor_ubuntu·2020-10-15
CVE-2020-15157 containerd vulnerability
Title: containerd vulnerability
Summary: containerd could be made to expose sensitive information over the
network.
It was discovered that containerd could be made to expose sensitive
information when processing URLs in container image manifests. A
remote attacker could use this to trick the user and obtain the
user's registry credentials.
Instructions: After a standard system update you need to restart containerd to make
all the necessary changes.
Ubuntu
Docker vulnerability
vendor_ubuntu·2020-10-15
CVE-2020-15157 Docker vulnerability
Title: Docker vulnerability
Summary: Docker could be made to expose sensitive information over the
network.
USN-4589-1 fixed a vulnerability in containerd. This update provides
the corresponding update for docker.io.
Original advisory details:
It was discovered that containerd could be made to expose sensitive
information when processing URLs in container image manifests. A
remote attacker could use this to trick the user and obtain the
user's registry credentials.
Instructions: After a standard system update you need to restart docker to make
all the necessary changes.
Debian
CVE-2020-15157: containerd - In containerd (an industry-standard container runtime) before version 1.2.14 the...
vendor_debian·2020·CVSS 6.1
CVE-2020-15157 [MEDIUM] CVE-2020-15157: containerd - In containerd (an industry-standard container runtime) before version 1.2.14 the...
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-15157 containerd: credentials leak during image pull [epel-7]
bugzilla·2020-10-22·CVSS 6.1
CVE-2020-15157 [MEDIUM] CVE-2020-15157 containerd: credentials leak during image pull [epel-7]
CVE-2020-15157 containerd: credentials leak during image pull [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg upda
Bugzilla
CVE-2020-15157 containerd: credentials leak during image pull
bugzilla·2020-10-14·CVSS 6.1
CVE-2020-15157 [MEDIUM] CVE-2020-15157 containerd: credentials leak during image pull
CVE-2020-15157 containerd: credentials leak during image pull
containerd v1.2.x can be coerced into leaking credentials during image
pull
Discussion:
References:
https://www.openwall.com/lists/oss-security/2020/10/15/1
https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c
https://github.com/containerd/containerd/releases/tag/v1.2.14
---
External References:
https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c
https://github.com/containerd/containerd/releases/tag/v1.2.14
https://www.openwall.com/lists/oss-security/2020/10/15/1
---
Upstream commit with fix:
https://github.com/containerd/containerd/commit/1ead8d9deb3b175bf40413b8c47b3d19c2262726
---
Statement:
In OpenShift Container Platform (OCP) the ose-cluster-autoscaler co
https://github.com/containerd/containerd/releases/tag/v1.2.14https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9chttps://usn.ubuntu.com/4589-1/https://usn.ubuntu.com/4589-2/https://www.debian.org/security/2021/dsa-4865https://github.com/containerd/containerd/releases/tag/v1.2.14https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9chttps://usn.ubuntu.com/4589-1/https://usn.ubuntu.com/4589-2/https://www.debian.org/security/2021/dsa-4865
2020-10-16
Published