CVE-2019-10214 — Insufficiently Protected Credentials in github.com/containers/image

Description

The HTTP client used to connect to the container registry authorization service explicitly disables TLS verification, allowing an attacker that is able to MITM the connection to steal credentials.

How to fix CVE-2019-10214

To remediate CVE-2019-10214, upgrade the affected package to a fixed version below.

Go/github.com/containers/image—upgrade to 3.0.0 or later
—upgrade to 2.0.2-0.20190802080134-634605d06e73+incompatible or later

Is CVE-2019-10214 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.0.0
from 0, < 2.0.2-0.20190802080134-634605d06e73+incompatible

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10214
PATCHgithub.com/containers/image
WEBlists.opensuse.org/opensuse-security-announce/2020-03/msg00035.html
WEBlists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html