CVE-2020-15157

Name of the Vulnerable Software and Affected Versions: containerd versions 1.2.0 through 1.2.13

Description: The issue is related to the incorrect handling of the image manifest in the containerd runtime environment. If a container image manifest includes a URL for a specific image layer, the default containerd resolver will follow that URL to attempt to download it. In versions 1.2.x, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. This allows an attacker to obtain the credentials used for pulling the image, which may include the user's username and password for the registry or credentials attached to the cloud virtual instance, granting access to other cloud resources in the account.

Recommendations: For containerd versions 1.2.0 through 1.2.13, update to version 1.2.14 or later to fix the vulnerability. For users of cri-containerd in the 1.2 series or prior, ensure you only pull images from trusted sources. If you are using containerd 1.3 or later, you are not affected by this issue.