Docker Registry API is accessible without authentication

Description
  • Docker is a computer program that performs operating-system-level virtualization, also known as "containerization".

    The Docker Registry HTTP API is the protocol to facilitate distribution of images to the docker engine. It interacts with instances of the docker registry, which is a service to manage information about docker images and enable their distribution.

    This Docker Registry API is accessible without authentication. A properly secured registry should return 401 when the "/v2/" endpoint is hit without credentials. The response should include a WWW-Authenticate challenge, providing guidance on how to authenticate, such as with basic auth or a token service.
Remediation
  • Restrict access to the Docker Registry API. Except for registries running on secure local networks, registries should always implement access restrictions.

    The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers basic authentication mechanism).
References