CVE-2020-15157 — Insufficiently Protected Credentials in Containerd
Severity
6.1MEDIUMNVD
EPSS
0.8%
top 26.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedOct 16
Latest updateAug 21
Description
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials i…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:NExploitability: 1.6 | Impact: 4.0
Affected Packages4 packages
Also affects: Debian Linux 10.0, Ubuntu Linux 16.04, 18.04, 20.04
🔴Vulnerability Details
5OSV▶
containerd v1.2.x can be coerced into leaking credentials during image pull in github.com/containerd/containerd↗2024-08-21
OSV
▶