The HTTP client used to connect to the container registry authorization service explicitly disables TLS verification, allowing an attacker that is able to MITM the connection to steal credentials.
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2021-0081" }
{ "imports": [ { "path": "github.com/containers/image/docker", "symbols": [ "CheckAuth", "GetRepositoryTags", "Image.GetRepositoryTags", "NewReference", "ParseReference", "SearchRegistry", "dockerClient.getBearerToken", "dockerImageDestination.PutBlob", "dockerImageDestination.PutManifest", "dockerImageDestination.PutSignatures", "dockerImageDestination.SupportsSignatures", "dockerImageDestination.TryReusingBlob", "dockerImageSource.GetBlob", "dockerImageSource.GetManifest", "dockerImageSource.GetSignatures", "dockerReference.DeleteImage", "dockerReference.NewImage", "dockerReference.NewImageDestination", "dockerReference.NewImageSource", "dockerReference.PolicyConfigurationIdentity", "dockerTransport.ParseReference" ] } ] }