Skip to content

OCI Manifest Type Confusion Issue

Low severity GitHub Reviewed Published Feb 7, 2022 in distribution/distribution • Updated Feb 9, 2023

Package

gomod github.com/docker/distribution (Go)

Affected versions

< 2.8.0

Patched versions

2.8.0

Description

Impact

Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion.

Patches

Upgrade to at least v2.8.0-beta.1 if you are running v2.x release. If you use the code from the main branch, update at least to the commit after b59a6f827947f9e0e67df0cfb571046de4733586.

Workarounds

There is no way to work around this issue without patching.

References

Due to an oversight in the OCI Image Specification that removed the embedded mediaType field from manifests, a maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image’s digest by modifying the Content-Type header returned by a registry. This can invalidate a common pattern of relying on container image digests for equivalence.

For more information

If you have any questions or comments about this advisory:

References

@milosgajdos milosgajdos published to distribution/distribution Feb 7, 2022
Published to the GitHub Advisory Database Feb 8, 2022
Reviewed Feb 8, 2022
Last updated Feb 9, 2023

Severity

Low
3.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-qq97-vm5h-rrhg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.