Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xcTk3LXZtNWgtcnJoZ80psQ
OCI Manifest Type Confusion Issue
Impact
Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion.
Patches
Upgrade to at least v2.8.0-beta.1
if you are running v2.x
release. If you use the code from the main
branch, update at least to the commit after b59a6f827947f9e0e67df0cfb571046de4733586.
Workarounds
There is no way to work around this issue without patching.
References
Due to an oversight in the OCI Image Specification that removed the embedded mediaType
field from manifests, a maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image’s digest by modifying the Content-Type
header returned by a registry. This can invalidate a common pattern of relying on container image digests for equivalence.
For more information
If you have any questions or comments about this advisory:
- Open an issue in distribution
- Open an issue in distribution-spec
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xcTk3LXZtNWgtcnJoZ80psQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 3.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
Identifiers: GHSA-qq97-vm5h-rrhg
References:
- https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg
- https://github.com/opencontainers/image-spec/pull/411
- https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586
- https://pkg.go.dev/vuln/GO-2022-0379
- https://github.com/advisories/GHSA-qq97-vm5h-rrhg
Blast Radius: 13.6
Affected Packages
go:github.com/docker/distribution
Dependent packages: 10,510Dependent repositories: 33,614
Downloads:
Affected Version Ranges: < 2.8.0
Fixed in: 2.8.0
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1
All unaffected versions: 2.8.0, 2.8.1, 2.8.2, 2.8.3