VulnerableCode Package Details - pkg:rpm/redhat/openshift@4.7.0-202102060108.p0.git.97095.7271b90?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-gbw6-3a59-mbhu Aliases: CVE-2020-15157 GHSA-742w-89gc-8m9c	containerd v1.2.x can be coerced into leaking credentials during image pull ## Impact If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been rated by the containerd maintainers as medium, with a CVSS score of 6.1 and a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N. ## Patches This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. ## Workarounds If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected. ## Credits The containerd maintainers would like to thank Brad Geesaman, Josh Larsen, Ian Coldwater, Duffie Cooley, and Rory McCune for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/master/SECURITY.md).	There are no reported fixed by versions.
VCID-uf1d-16sm-wqe3 Aliases: CVE-2019-3884	atomic-openshift: cross-namespace owner references can trigger deletions of valid children	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-gbw6-3a59-mbhu
Aliases:
CVE-2020-15157
GHSA-742w-89gc-8m9c

containerd v1.2.x can be coerced into leaking credentials during image pull ## Impact If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been rated by the containerd maintainers as medium, with a CVSS score of 6.1 and a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N. ## Patches This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. ## Workarounds If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected. ## Credits The containerd maintainers would like to thank Brad Geesaman, Josh Larsen, Ian Coldwater, Duffie Cooley, and Rory McCune for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/master/SECURITY.md).

There are no reported fixed by versions.

VCID-uf1d-16sm-wqe3
Aliases:
CVE-2019-3884

atomic-openshift: cross-namespace owner references can trigger deletions of valid children

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:20:38.878715+00:00	RedHat Importer	Affected by	VCID-uf1d-16sm-wqe3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-3884.json	38.0.0
2026-04-01T14:04:14.056061+00:00	RedHat Importer	Affected by	VCID-gbw6-3a59-mbhu	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15157.json	38.0.0

2026-04-01T14:20:38.878715+00:00

RedHat Importer

Affected by

VCID-uf1d-16sm-wqe3

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-3884.json

38.0.0

2026-04-01T14:04:14.056061+00:00

RedHat Importer

Affected by

VCID-gbw6-3a59-mbhu

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15157.json

38.0.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	3.1