Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:golang/github.com/containerd/containerd@1.2.14
Typegolang
Namespacegithub.com/containerd
Namecontainerd
Version1.2.14
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version1.3.9
Latest_non_vulnerable_version1.7.29
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-gbw6-3a59-mbhu
vulnerability_id VCID-gbw6-3a59-mbhu
summary 
containerd v1.2.x can be coerced into leaking credentials during image pull
## Impact

If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers.

If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account.

The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it.

This vulnerability has been rated by the containerd maintainers as medium, with a CVSS score of 6.1 and a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N.

## Patches

This vulnerability has been fixed in containerd 1.2.14.  containerd 1.3 and later are not affected.

## Workarounds

If you are using containerd 1.3 or later, you are not affected.  If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources.  Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.

## Credits

The containerd maintainers would like to thank Brad Geesaman, Josh Larsen, Ian Coldwater, Duffie Cooley, and Rory McCune for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/master/SECURITY.md).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15157.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15157.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-15157
reference_id
reference_type
scores
0
value 0.00777
scoring_system epss
scoring_elements 0.73669
published_at 2026-04-16T12:55:00Z
1
value 0.00777
scoring_system epss
scoring_elements 0.73678
published_at 2026-04-18T12:55:00Z
2
value 0.00777
scoring_system epss
scoring_elements 0.73575
published_at 2026-04-01T12:55:00Z
3
value 0.00777
scoring_system epss
scoring_elements 0.73584
published_at 2026-04-02T12:55:00Z
4
value 0.00777
scoring_system epss
scoring_elements 0.73608
published_at 2026-04-04T12:55:00Z
5
value 0.00777
scoring_system epss
scoring_elements 0.7358
published_at 2026-04-07T12:55:00Z
6
value 0.00777
scoring_system epss
scoring_elements 0.73617
published_at 2026-04-08T12:55:00Z
7
value 0.00777
scoring_system epss
scoring_elements 0.73629
published_at 2026-04-09T12:55:00Z
8
value 0.00777
scoring_system epss
scoring_elements 0.73652
published_at 2026-04-11T12:55:00Z
9
value 0.00777
scoring_system epss
scoring_elements 0.73634
published_at 2026-04-12T12:55:00Z
10
value 0.00777
scoring_system epss
scoring_elements 0.73625
published_at 2026-04-13T12:55:00Z
11
value 0.00846
scoring_system epss
scoring_elements 0.74851
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-15157
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15157
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15157
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15257
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15257
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21284
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21284
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21285
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21285
6
reference_url https://darkbit.io/blog/cve-2020-15157-containerdrip
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://darkbit.io/blog/cve-2020-15157-containerdrip
7
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
8
reference_url https://github.com/containerd/containerd
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/containerd/containerd
9
reference_url https://github.com/containerd/containerd/commit/1ead8d9deb3b175bf40413b8c47b3d19c2262726
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/containerd/containerd/commit/1ead8d9deb3b175bf40413b8c47b3d19c2262726
10
reference_url https://github.com/containerd/containerd/releases/tag/v1.2.14
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/containerd/containerd/releases/tag/v1.2.14
11
reference_url https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-15157
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-15157
13
reference_url https://usn.ubuntu.com/4589-1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://usn.ubuntu.com/4589-1
14
reference_url https://usn.ubuntu.com/4589-2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://usn.ubuntu.com/4589-2
15
reference_url https://www.debian.org/security/2021/dsa-4865
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-4865
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1888248
reference_id 1888248
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1888248
17
reference_url https://usn.ubuntu.com/4589-1/
reference_id USN-4589-1
reference_type
scores
url https://usn.ubuntu.com/4589-1/
18
reference_url https://usn.ubuntu.com/4589-2/
reference_id USN-4589-2
reference_type
scores
url https://usn.ubuntu.com/4589-2/
fixed_packages
0
url pkg:golang/github.com/containerd/containerd@1.2.14
purl pkg:golang/github.com/containerd/containerd@1.2.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/containerd/containerd@1.2.14
aliases CVE-2020-15157, GHSA-742w-89gc-8m9c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gbw6-3a59-mbhu
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:golang/github.com/containerd/containerd@1.2.14