Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-742w-89gc-8m9c #1335

Closed
GoVulnBot opened this issue Jan 9, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-742w-89gc-8m9c #1335

GoVulnBot opened this issue Jan 9, 2023 · 1 comment
Labels
duplicate

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-742w-89gc-8m9c, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/containerd/containerd 1.2.14 < 1.2.14

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - fixed: 1.2.14
    packages:
      - package: github.com/containerd/containerd
description: |-
    ## Impact

    If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers.

    If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account.

    The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it.

    This vulnerability has been rated by the containerd maintainers as medium, with a CVSS score of 6.1 and a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N.

    ## Patches

    This vulnerability has been fixed in containerd 1.2.14.  containerd 1.3 and later are not affected.

    ## Workarounds

    If you are using containerd 1.3 or later, you are not affected.  If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources.  Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.

    ## Credits

    The containerd maintainers would like to thank Brad Geesaman, Josh Larsen, Ian Coldwater, Duffie Cooley, and Rory McCune for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/master/SECURITY.md).
cves:
  - CVE-2020-15157
ghsas:
  - GHSA-742w-89gc-8m9c
@tatianab
Copy link
Contributor

tatianab commented Jan 9, 2023

Duplicate of #803

@tatianab tatianab closed this as completed Jan 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot