{"vulnerability": "CVE-2021-41190", "sightings": [{"uuid": "5bebb710-30d3-404c-9a36-89f6630886f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-41190", "type": "seen", "source": "https://t.me/cibsecurity/32566", "content": "\u203c CVE-2021-41190 \u203c\n\nThe OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201cmanifests\u00c3\u00a2\u00e2\u201a\u00ac? and \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201clayers\u00c3\u00a2\u00e2\u201a\u00ac? fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201cmanifests\u00c3\u00a2\u00e2\u201a\u00ac? and \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201clayers\u00c3\u00a2\u00e2\u201a\u00ac? fields or \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201cmanifests\u00c3\u00a2\u00e2\u201a\u00ac? and \u00c3\u00a2\u00e2\u201a\u00ac\u00c5\u201cconfig\u00c3\u00a2\u00e2\u201a\u00ac? fields if they are unable to update to version 1.0.1 of the spec.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-11-17T22:20:54.000000Z"}]}