CVE-2020-15157: 
Docker vulnerability analysis and mitigation

CVE-2020-15157 is a credential leaking vulnerability discovered in containerd (an industry-standard container runtime) versions before 1.2.14. The vulnerability was disclosed in October 2020 and affects the container image-pulling process. The issue impacts systems using containerd's default resolver, including the cri-containerd plugin used by Kubernetes, the ctr development tool, and other client programs that explicitly link against it (Aqua Security, GitHub Advisory).

The vulnerability occurs when processing URLs in container image manifests using the OCI Image format or Docker Image V2 Schema 2 format. If a container image manifest includes a URL for a specific image layer (known as a 'foreign layer'), the default containerd resolver will attempt to download it. In v1.2.x versions, the resolver provides authentication credentials if the server hosting the URL responds with an HTTP 401 status code along with registry-specific HTTP headers. The vulnerability has been rated as medium severity with a CVSS v3.1 score of 6.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N) (GitHub Advisory).

If exploited, an attacker could obtain the credentials used for pulling images. These credentials could be either the user's username and password for the registry or the credentials attached to the cloud virtual instance, potentially granting access to other cloud resources in the account (GitHub Advisory, Aqua Security).

The vulnerability has been fixed in containerd version 1.2.14. Users of containerd 1.3 and later versions are not affected. For those using cri-containerd in the 1.2 series or prior, it is recommended to only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected (GitHub Advisory, Ubuntu Security).