Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-gbw6-3a59-mbhu
Summary
containerd v1.2.x can be coerced into leaking credentials during image pull
## Impact

If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers.

If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account.

The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it.

This vulnerability has been rated by the containerd maintainers as medium, with a CVSS score of 6.1 and a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N.

## Patches

This vulnerability has been fixed in containerd 1.2.14.  containerd 1.3 and later are not affected.

## Workarounds

If you are using containerd 1.3 or later, you are not affected.  If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources.  Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.

## Credits

The containerd maintainers would like to thank Brad Geesaman, Josh Larsen, Ian Coldwater, Duffie Cooley, and Rory McCune for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/master/SECURITY.md).
Aliases
0
alias CVE-2020-15157
1
alias GHSA-742w-89gc-8m9c
Fixed_packages
0
url pkg:deb/debian/containerd@1.3.2~ds1-2?distro=trixie
purl pkg:deb/debian/containerd@1.3.2~ds1-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/containerd@1.3.2~ds1-2%3Fdistro=trixie
1
url pkg:deb/debian/containerd@1.4.13~ds1-1~deb11u4?distro=trixie
purl pkg:deb/debian/containerd@1.4.13~ds1-1~deb11u4?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/containerd@1.4.13~ds1-1~deb11u4%3Fdistro=trixie
2
url pkg:deb/debian/containerd@1.6.20~ds1-1%2Bdeb12u2?distro=trixie
purl pkg:deb/debian/containerd@1.6.20~ds1-1%2Bdeb12u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-xd4a-qav4-uqd1
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/containerd@1.6.20~ds1-1%252Bdeb12u2%3Fdistro=trixie
3
url pkg:deb/debian/containerd@1.7.24~ds1-6%2Bdeb13u1?distro=trixie
purl pkg:deb/debian/containerd@1.7.24~ds1-6%2Bdeb13u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/containerd@1.7.24~ds1-6%252Bdeb13u1%3Fdistro=trixie
4
url pkg:deb/debian/containerd@2.1.4~ds2-8?distro=trixie
purl pkg:deb/debian/containerd@2.1.4~ds2-8?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/containerd@2.1.4~ds2-8%3Fdistro=trixie
5
url pkg:deb/debian/containerd@2.1.6%2Bds1-1?distro=trixie
purl pkg:deb/debian/containerd@2.1.6%2Bds1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/containerd@2.1.6%252Bds1-1%3Fdistro=trixie
6
url pkg:deb/debian/docker.io@18.09.1%2Bdfsg1-7.1%2Bdeb10u3
purl pkg:deb/debian/docker.io@18.09.1%2Bdfsg1-7.1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3eju-5upk-auhy
1
vulnerability VCID-41ft-14gt-bbbq
2
vulnerability VCID-6vru-hsfs-rufg
3
vulnerability VCID-bhju-575k-ebh3
4
vulnerability VCID-e9ng-x516-53cf
5
vulnerability VCID-gbw6-3a59-mbhu
6
vulnerability VCID-gund-83cy-9fap
7
vulnerability VCID-h83p-v26k-s7fa
8
vulnerability VCID-pevy-d197-zydv
9
vulnerability VCID-u44m-mgza-nfcx
10
vulnerability VCID-uckr-kzdf-7ydj
11
vulnerability VCID-yt33-nmzd-r3cs
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/docker.io@18.09.1%252Bdfsg1-7.1%252Bdeb10u3
7
url pkg:deb/debian/docker.io@19.03.13%2Bdfsg2-1?distro=trixie
purl pkg:deb/debian/docker.io@19.03.13%2Bdfsg2-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/docker.io@19.03.13%252Bdfsg2-1%3Fdistro=trixie
8
url pkg:deb/debian/docker.io@20.10.5%2Bdfsg1-1
purl pkg:deb/debian/docker.io@20.10.5%2Bdfsg1-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3eju-5upk-auhy
1
vulnerability VCID-41ft-14gt-bbbq
2
vulnerability VCID-bhju-575k-ebh3
3
vulnerability VCID-e9ng-x516-53cf
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/docker.io@20.10.5%252Bdfsg1-1
9
url pkg:deb/debian/docker.io@20.10.5%2Bdfsg1-1%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/docker.io@20.10.5%2Bdfsg1-1%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sky-21r5-3qcu
1
vulnerability VCID-6tg9-3vhh-muae
2
vulnerability VCID-8e1u-z6kg-ryhc
3
vulnerability VCID-avqu-wswg-c3ga
4
vulnerability VCID-b2qe-8u58-2qck
5
vulnerability VCID-bzeb-kj67-vfds
6
vulnerability VCID-e82r-vc77-f7bz
7
vulnerability VCID-njcw-wc13-dqcz
8
vulnerability VCID-quyf-eq2s-dbda
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/docker.io@20.10.5%252Bdfsg1-1%252Bdeb11u2%3Fdistro=trixie
10
url pkg:deb/debian/docker.io@20.10.24%2Bdfsg1-1%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/docker.io@20.10.24%2Bdfsg1-1%2Bdeb12u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sky-21r5-3qcu
1
vulnerability VCID-6tg9-3vhh-muae
2
vulnerability VCID-8e1u-z6kg-ryhc
3
vulnerability VCID-b2qe-8u58-2qck
4
vulnerability VCID-njcw-wc13-dqcz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/docker.io@20.10.24%252Bdfsg1-1%252Bdeb12u1%3Fdistro=trixie
11
url pkg:deb/debian/docker.io@26.1.5%2Bdfsg1-9?distro=trixie
purl pkg:deb/debian/docker.io@26.1.5%2Bdfsg1-9?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/docker.io@26.1.5%252Bdfsg1-9%3Fdistro=trixie
12
url pkg:deb/debian/docker.io@28.5.2%2Bdfsg3-2?distro=trixie
purl pkg:deb/debian/docker.io@28.5.2%2Bdfsg3-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/docker.io@28.5.2%252Bdfsg3-2%3Fdistro=trixie
13
url pkg:golang/github.com/containerd/containerd@1.2.14
purl pkg:golang/github.com/containerd/containerd@1.2.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/containerd/containerd@1.2.14
Affected_packages
0
url pkg:deb/debian/docker.io@1.6.2~dfsg1-1~bpo8%2B1
purl pkg:deb/debian/docker.io@1.6.2~dfsg1-1~bpo8%2B1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-165g-hgmx-nybk
1
vulnerability VCID-3eju-5upk-auhy
2
vulnerability VCID-41ft-14gt-bbbq
3
vulnerability VCID-43es-2d6x-jba8
4
vulnerability VCID-6vru-hsfs-rufg
5
vulnerability VCID-ahbf-gwnw-nufp
6
vulnerability VCID-bhju-575k-ebh3
7
vulnerability VCID-e6sp-khpk-r3d8
8
vulnerability VCID-e9ng-x516-53cf
9
vulnerability VCID-eb24-pguf-ryg1
10
vulnerability VCID-f6d3-yyvz-xqgs
11
vulnerability VCID-gbw6-3a59-mbhu
12
vulnerability VCID-gund-83cy-9fap
13
vulnerability VCID-h83p-v26k-s7fa
14
vulnerability VCID-pevy-d197-zydv
15
vulnerability VCID-qwqe-27yu-8kds
16
vulnerability VCID-sh5d-p485-6qh4
17
vulnerability VCID-su25-rgw1-xkg6
18
vulnerability VCID-u44m-mgza-nfcx
19
vulnerability VCID-uckr-kzdf-7ydj
20
vulnerability VCID-yt33-nmzd-r3cs
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/docker.io@1.6.2~dfsg1-1~bpo8%252B1
1
url pkg:deb/debian/docker.io@18.09.1%2Bdfsg1-7.1%2Bdeb10u3
purl pkg:deb/debian/docker.io@18.09.1%2Bdfsg1-7.1%2Bdeb10u3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3eju-5upk-auhy
1
vulnerability VCID-41ft-14gt-bbbq
2
vulnerability VCID-6vru-hsfs-rufg
3
vulnerability VCID-bhju-575k-ebh3
4
vulnerability VCID-e9ng-x516-53cf
5
vulnerability VCID-gbw6-3a59-mbhu
6
vulnerability VCID-gund-83cy-9fap
7
vulnerability VCID-h83p-v26k-s7fa
8
vulnerability VCID-pevy-d197-zydv
9
vulnerability VCID-u44m-mgza-nfcx
10
vulnerability VCID-uckr-kzdf-7ydj
11
vulnerability VCID-yt33-nmzd-r3cs
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/docker.io@18.09.1%252Bdfsg1-7.1%252Bdeb10u3
2
url pkg:rpm/redhat/openshift@4.7.0-202102060108.p0.git.97095.7271b90?arch=el8
purl pkg:rpm/redhat/openshift@4.7.0-202102060108.p0.git.97095.7271b90?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gbw6-3a59-mbhu
1
vulnerability VCID-uf1d-16sm-wqe3
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/openshift@4.7.0-202102060108.p0.git.97095.7271b90%3Farch=el8
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15157.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15157.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-15157
reference_id
reference_type
scores
0
value 0.00777
scoring_system epss
scoring_elements 0.73669
published_at 2026-04-16T12:55:00Z
1
value 0.00777
scoring_system epss
scoring_elements 0.73678
published_at 2026-04-18T12:55:00Z
2
value 0.00777
scoring_system epss
scoring_elements 0.73575
published_at 2026-04-01T12:55:00Z
3
value 0.00777
scoring_system epss
scoring_elements 0.73584
published_at 2026-04-02T12:55:00Z
4
value 0.00777
scoring_system epss
scoring_elements 0.73608
published_at 2026-04-04T12:55:00Z
5
value 0.00777
scoring_system epss
scoring_elements 0.7358
published_at 2026-04-07T12:55:00Z
6
value 0.00777
scoring_system epss
scoring_elements 0.73617
published_at 2026-04-08T12:55:00Z
7
value 0.00777
scoring_system epss
scoring_elements 0.73629
published_at 2026-04-09T12:55:00Z
8
value 0.00777
scoring_system epss
scoring_elements 0.73652
published_at 2026-04-11T12:55:00Z
9
value 0.00777
scoring_system epss
scoring_elements 0.73634
published_at 2026-04-12T12:55:00Z
10
value 0.00777
scoring_system epss
scoring_elements 0.73625
published_at 2026-04-13T12:55:00Z
11
value 0.00846
scoring_system epss
scoring_elements 0.74851
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-15157
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15157
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15157
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15257
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15257
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21284
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21284
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21285
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21285
6
reference_url https://darkbit.io/blog/cve-2020-15157-containerdrip
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://darkbit.io/blog/cve-2020-15157-containerdrip
7
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
8
reference_url https://github.com/containerd/containerd
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/containerd/containerd
9
reference_url https://github.com/containerd/containerd/commit/1ead8d9deb3b175bf40413b8c47b3d19c2262726
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/containerd/containerd/commit/1ead8d9deb3b175bf40413b8c47b3d19c2262726
10
reference_url https://github.com/containerd/containerd/releases/tag/v1.2.14
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/containerd/containerd/releases/tag/v1.2.14
11
reference_url https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-15157
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-15157
13
reference_url https://usn.ubuntu.com/4589-1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://usn.ubuntu.com/4589-1
14
reference_url https://usn.ubuntu.com/4589-2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://usn.ubuntu.com/4589-2
15
reference_url https://www.debian.org/security/2021/dsa-4865
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2021/dsa-4865
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1888248
reference_id 1888248
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1888248
17
reference_url https://usn.ubuntu.com/4589-1/
reference_id USN-4589-1
reference_type
scores
url https://usn.ubuntu.com/4589-1/
18
reference_url https://usn.ubuntu.com/4589-2/
reference_id USN-4589-2
reference_type
scores
url https://usn.ubuntu.com/4589-2/
Weaknesses
0
cwe_id 522
name Insufficiently Protected Credentials
description The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
1
cwe_id 200
name Exposure of Sensitive Information to an Unauthorized Actor
description The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-gbw6-3a59-mbhu