Information Exposure Affecting github.com/containerd/containerd/remotes/docker package, versions <1.2.14


0.0
medium

Snyk CVSS

    Exploit Maturity Proof of concept
    Attack Complexity High
    User Interaction Required
    Scope Changed
    Confidentiality High
Expand this section
NVD
6.1 medium
Expand this section
SUSE
6.1 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMCONTAINERDCONTAINERDREMOTESDOCKER-1019358
  • published 18 Oct 2020
  • disclosed 18 Oct 2020
  • credit Brad Geesaman, Josh Larsen, Ian Coldwater, Duffie Cooley, Rory McCune

How to fix?

Upgrade github.com/containerd/containerd/remotes/docker to version 1.2.14 or higher.

Overview

github.com/containerd/containerd/remotes/docker is a docker container runtime with an emphasis on simplicity, robustness and portability.

Affected versions of this package are vulnerable to Information Exposure. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it.