CVE-2019-10214
Description
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The containers/image library does not enforce TLS for registry authorization token requests, allowing credentials theft via MiTM.
Vulnerability
Analysis
The containers/image library, used by container tools Podman, Buildah, Skopeo in Red Hat Enterprise Linux 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections when contacting the container registry authorization service [1][2][3]. This means that login credentials (username and password) and bearer tokens are transmitted over unencrypted HTTP instead of HTTPS when the token server is contacted [3][4]. The root cause is the use of different HTTP clients for contacting the bearer token server and the registry; the token server client was not enforcing TLS [1].
Exploitation
An attacker with a position to perform a man-in-the-middle (MiTM) attack on the network path between the container tool and the token server can intercept the unencrypted communication [2][3]. No authentication is needed beyond the network access. The attack surface includes any environment where a container tool authenticates to a registry that uses an external token service over a non-TLS connection.
Impact
Successful exploitation allows the attacker to steal login credentials or bearer tokens [2][3]. With these credentials, the attacker can authenticate to the container registry as the victim and potentially pull or push images, or access other resources protected by the same credentials.
Mitigation
The vulnerability was addressed by an upstream pull request that uses the same TLS-enabled HTTP client for both the registry and the token server [1]. Red Hat released fixes for OpenShift Container Platform 3.11 via RHSA-2019:2817 [3][4]. Users should ensure they are using patched versions of the containers/image library and associated tools.
- Use the same HTTP client for contacting the bearer token server and the registry by mtrmac · Pull Request #669 · containers/image
- NVD - CVE-2019-10214
- not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure
- not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containers/imageGo | < 3.0.0 | 3.0.0 |
Affected products
27- Red Hat/containers/imagedescription
- ghsa-coords26 versionspkg:golang/github.com/containers/imagepkg:rpm/almalinux/fuse-overlayfspkg:rpm/almalinux/oci-systemd-hookpkg:rpm/almalinux/oci-umountpkg:rpm/opensuse/buildah&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/buildah&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/buildah&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/buildah&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cri-o&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cri-o&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cri-tools&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/go1.14&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/kubernetes&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/libcontainers-common&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/podman&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/podman&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/skopeo&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/skopeo&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/skopeo&distro=openSUSE%20Tumbleweedpkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1pkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP2pkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/podman&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1pkg:rpm/suse/skopeo&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015pkg:rpm/suse/skopeo&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1
< 3.0.0+ 25 more
- (no CPE)range: < 3.0.0
- (no CPE)range: < 0.3-5.module_el8.3.0+2044+12421f43
- (no CPE)range: < 1:0.1.15-2.git2d0b8a3.module_el8.5.0+119+9a9ec082
- (no CPE)range: < 2:2.3.4-2.git87f9237.module_el8.5.0+119+9a9ec082
- (no CPE)range: < 1.7.1-lp151.2.3.1
- (no CPE)range: < 1.19.2-lp152.2.3.1
- (no CPE)range: < 1.23.1-150300.8.3.1
- (no CPE)range: < 1.23.0-1.1
- (no CPE)range: < 1.17.1-lp151.2.2
- (no CPE)range: < 1.22.0-1.2
- (no CPE)range: < 1.18.0-lp151.2.1
- (no CPE)range: < 1.14-lp151.6.1
- (no CPE)range: < 1.18.0-lp151.5.1
- (no CPE)range: < 20210112-lp152.2.6.1
- (no CPE)range: < 1.4.4-lp151.3.6.1
- (no CPE)range: < 2.2.1-lp152.4.9.1
- (no CPE)range: < 3.3.1-2.1
- (no CPE)range: < 0.1.32-lp150.8.1
- (no CPE)range: < 0.1.32-lp151.2.3.1
- (no CPE)range: < 1.2.3-1.2
- (no CPE)range: < 1.7.1-3.3.1
- (no CPE)range: < 1.17.0-3.6.1
- (no CPE)range: < 1.23.1-150300.8.3.1
- (no CPE)range: < 1.4.4-4.11.1
- (no CPE)range: < 0.1.32-4.8.1
- (no CPE)range: < 0.1.32-4.8.1
Patches
1634605d06e73Merge pull request #669 from mtrmac/bearer-token-tls
1 file changed · +1 −5
docker/docker_client.go+1 −5 modified@@ -526,11 +526,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge, authReq.SetBasicAuth(c.username, c.password) } logrus.Debugf("%s %s", authReq.Method, authReq.URL.String()) - tr := tlsclientconfig.NewTransport() - // TODO(runcom): insecure for now to contact the external token service - tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} - client := &http.Client{Transport: tr} - res, err := client.Do(authReq) + res, err := c.client.Do(authReq) if err != nil { return nil, err }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- lists.opensuse.org/opensuse-security-announce/2020-03/msg00035.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-85p9-j7c9-v4grghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10214ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/containers/image/commit/634605d06e738aec8332bcfd69162e7509ac7aafghsaWEB
- github.com/containers/image/issues/654ghsaWEB
- github.com/containers/image/pull/655ghsaWEB
- github.com/containers/image/pull/669ghsaWEB
- pkg.go.dev/vuln/GO-2021-0081ghsaWEB
News mentions
0No linked articles in our index yet.