CVE-2020-15157
CVE-2020-15157 is a medium-severity vulnerability in Linuxfoundation Containerd with a CVSS 3.x base score of 6.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-522.
Key facts
- Severity: Medium (CVSS 3.x base score 6.1)
- CVSS v2: 2.6
- EPSS exploit prediction: 2% (80th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-522
- Affected product: Linuxfoundation Containerd
- Published:
- Last modified:
Description
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.
Frequently asked questions
- What is CVE-2020-15157?
- In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected.
- How severe is CVE-2020-15157?
- CVE-2020-15157 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2020-15157 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (80th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-15157?
- CVE-2020-15157 primarily affects Linuxfoundation Containerd. In total, 13 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-15157?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-15157 published?
- CVE-2020-15157 was published on 2020-10-16 and last updated on 2026-06-17.
References
- https://github.com/containerd/containerd/releases/tag/v1.2.14
- https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c
- https://usn.ubuntu.com/4589-1/
- https://usn.ubuntu.com/4589-2/
- https://www.debian.org/security/2021/dsa-4865
Affected products (13)
- cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:containerd:1.3.0:-:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta0:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:containerd:1.3.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc0:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:containerd:1.3.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
More vulnerabilities in Linuxfoundation Containerd
- CVE-2026-50195 — Critical (CVSS 9.9): containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the…
- CVE-2026-53492 — Critical (CVSS 9.6): containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation…
- CVE-2026-53488 — High (CVSS 8.8): containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI…
- CVE-2021-43816 — High (CVSS 8.0): containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or…
- CVE-2026-46680 — High (CVSS 7.8): containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers…
- CVE-2021-41103 — High (CVSS 7.8): containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was…
All CVEs affecting Linuxfoundation Containerd →
Other CWE-522 (Insufficiently Protected Credentials) vulnerabilities
- CVE-2026-7312 — Critical (CVSS 10.0): CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to…
- CVE-2026-29128 — Critical (CVSS 10.0): IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g.,…
- CVE-2025-54863 — Critical (CVSS 10.0): Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration…
- CVE-2024-12799 — Critical (CVSS 10.0): Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64…
- CVE-2024-51545 — Critical (CVSS 10.0): Username Enumeration vulnerabilities allow access to application level username add, delete, modify and list…
- CVE-2023-1778 — Critical (CVSS 10.0): This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to…
Browse all CWE-522 (Insufficiently Protected Credentials) vulnerabilities →