Malcontent Docker Registry Credential Exposure Vulnerability

A vulnerability in Malcontent versions 0.10.0 through 1.20.3 allows for the unintentional exposure of Docker registry credentials. This issue arises when Malcontent scans a specially crafted OCI image reference, as it uses the Docker credential keychain by default. A malicious registry could exploit this by redirecting authentication tokens to an attacker-controlled endpoint, leading to credential leakage. The vulnerability requires user interaction to trigger.

Impact

Exploitation of this vulnerability could result in the unauthorized disclosure of Docker registry credentials, allowing an attacker to access private images or resources.

Reproduction

To reproduce this vulnerability, scan an OCI image reference that has been crafted to exploit the credential handling in Malcontent. Ensure that Malcontent is set to use the Docker Keychain for authentication, which can be done by including the '--oci-auth' option when running the tool. This will enable the credential leakage to a malicious registry that intercepts the authentication tokens.

Remediation

Users can update to Malcontent version 1.20.3 or later, which defaults to anonymous authentication for OCI image pulls, thereby preventing credential leakage. Instructions for updating can be found in the Malcontent repository on GitHub.