Description

Your Docker Hub credentials may have been sent to a third-party registry if:

• you have your Docker Hub credentials stored locally
• the Docker image you are using is not stored on Docker Hub (eg. it’s on a private or third party registry)
• you are using the image directly (with image) and not as the base image for a image being built (in a Dockerfile within build_directory)
• the image you are using had not already pulled and batect pulled it for you, and
• the image is specified in the format registry/image_name in your batect configuration file (other formats such as registry/repo/image_name are not affected)

Impact

If all of the criteria above are fulfilled, your Docker Hub credentials have been sent to the third-party registry.

To be clear, credentials for private registries have not been exposed, only those for Docker Hub.

Affected versions

Version 0.18.0 is the first affected version, and the issue is fixed in version 0.35.1.

How to check for exposure

You can check if your Docker Hub credentials are stored locally by running docker logout:

If Docker responds with Removing login credentials for https://index.docker.io/v1/, then your credentials were stored locally and may have been exposed.

If Docker responds with Not logged in to https://index.docker.io/v1/, then your credentials were not stored locally and were not exposed.

Remedy

The issue is fixed in batect version 0.35.1. Teams can update to the latest version by running ./batect --upgrade. It is highly recommend anyone affected by this reset their Docker Hub password.