GHSA-QQ97-VM5H-RRHG

Vulnerability from github – Published: 2022-02-08 18:53 – Updated: 2023-02-09 15:29
VLAI
Summary
OCI Manifest Type Confusion Issue
Details

Impact

Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion.

Patches

Upgrade to at least v2.8.0-beta.1 if you are running v2.x release. If you use the code from the main branch, update at least to the commit after b59a6f827947f9e0e67df0cfb571046de4733586.

Workarounds

There is no way to work around this issue without patching.

References

Due to an oversight in the OCI Image Specification that removed the embedded mediaType field from manifests, a maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image’s digest by modifying the Content-Type header returned by a registry. This can invalidate a common pattern of relying on container image digests for equivalence.

For more information

If you have any questions or comments about this advisory: * Open an issue in distribution * Open an issue in distribution-spec * Email us at cncf-distribution-security@lists.cncf.io

Severity
3.0 (Low)
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/docker/distribution"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-08T18:53:56Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.\n\n### Patches\n\nUpgrade to at least `v2.8.0-beta.1`  if you are running `v2.x` release. If you use the code from the `main` branch, update at least to the commit after [b59a6f827947f9e0e67df0cfb571046de4733586](https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586).\n\n### Workarounds\n\nThere is no way to work around this issue without patching.\n\n### References\n\nDue to [an oversight in the OCI Image Specification](https://github.com/opencontainers/image-spec/pull/411) that removed the embedded `mediaType` field from manifests, a maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image\u2019s digest by modifying the `Content-Type` header returned by a registry. This can invalidate a common pattern of relying on container image digests for equivalence.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [distribution](https://github.com/distribution/distribution) \n* Open an issue in [distribution-spec](https://github.com/opencontainers/distribution-spec) \n* Email us at [cncf-distribution-security@lists.cncf.io](mailto:cncf-distribution-security@lists.cncf.io)\n",
  "id": "GHSA-qq97-vm5h-rrhg",
  "modified": "2023-02-09T15:29:32Z",
  "published": "2022-02-08T18:53:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/image-spec/pull/411"
    },
    {
      "type": "WEB",
      "url": "https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586"
    },
    {
      "type": "WEB",
      "url": "https://github.com/distribution/distribution"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0379"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OCI Manifest Type Confusion Issue"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.