blob: f510cd400d29301c328199627e0b624ac6b8563a [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0379",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-07-29T20:00:03Z",
"aliases": [
"GHSA-qq97-vm5h-rrhg"
],
"summary": "Type confusion in github.com/docker/distribution",
"details": "Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion.\n\nA maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image's digest, invalidating the common pattern of relying on container image digests for equivalence.\n\nThis problem has been addressed in newer versions by improving validation in manifest unmarshalling.",
"affected": [
{
"package": {
"name": "github.com/docker/distribution",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.0+incompatible"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/docker/distribution",
"symbols": [
"UnmarshalManifest"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0379"
}
}