reports/GO-2022-0379.yaml - vulndb - Git at Google

 packages:
   - module: github.com/docker/distribution
     symbols:
       - UnmarshalManifest
     versions:
       - fixed: 2.8.0+incompatible
     vulnerable_at: 2.7.1+incompatible
 description: |
     Systems that rely on digest equivalence for image attestations may be
     vulnerable to type confusion.

     A maliciously crafted OCI Container Image can cause registry clients to
     parse the same image in two different ways without modifying the image's
     digest, invalidating the common pattern of relying on container image
     digests for equivalence.

     This problem has been addressed in newer versions by improving validation
     in manifest unmarshaling.
 ghsas:
   - GHSA-qq97-vm5h-rrhg
 links:
     commit: https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586
	packages:
	- module: github.com/docker/distribution
	symbols:
	- UnmarshalManifest
	versions:
	- fixed: 2.8.0+incompatible
	vulnerable_at: 2.7.1+incompatible
	description: \|
	Systems that rely on digest equivalence for image attestations may be
	vulnerable to type confusion.

	A maliciously crafted OCI Container Image can cause registry clients to
	parse the same image in two different ways without modifying the image's
	digest, invalidating the common pattern of relying on container image
	digests for equivalence.

	This problem has been addressed in newer versions by improving validation
	in manifest unmarshaling.
	ghsas:
	- GHSA-qq97-vm5h-rrhg
	links:
	commit: https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586