blob: 33c35e19f1bde416b825ecb94d39a65ff6299598 [file] [log] [blame]
id: GO-2021-0081
modules:
- module: github.com/containers/image
versions:
- fixed: 2.0.2-0.20190802080134-634605d06e73+incompatible
vulnerable_at: 2.0.1+incompatible
packages:
- package: github.com/containers/image/docker
symbols:
- dockerClient.getBearerToken
derived_symbols:
- CheckAuth
- GetRepositoryTags
- Image.GetRepositoryTags
- NewReference
- ParseReference
- SearchRegistry
- dockerImageDestination.PutBlob
- dockerImageDestination.PutManifest
- dockerImageDestination.PutSignatures
- dockerImageDestination.SupportsSignatures
- dockerImageDestination.TryReusingBlob
- dockerImageSource.GetBlob
- dockerImageSource.GetManifest
- dockerImageSource.GetSignatures
- dockerReference.DeleteImage
- dockerReference.NewImage
- dockerReference.NewImageDestination
- dockerReference.NewImageSource
- dockerReference.PolicyConfigurationIdentity
- dockerTransport.ParseReference
summary: Insufficiently Protected Credentials in github.com/containers/image
description: |-
The HTTP client used to connect to the container registry authorization service
explicitly disables TLS verification, allowing an attacker that is able to MITM
the connection to steal credentials.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-10214
ghsas:
- GHSA-85p9-j7c9-v4gr
references:
- fix: https://github.com/containers/image/pull/669
- fix: https://github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aaf
- web: https://github.com/containers/image/issues/654
- web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214
review_status: REVIEWED