blob: b9e1acedd499e32345b4a0a2f69f328d70870e37 [file] [log] [blame]
id: GO-2022-0379
modules:
- module: github.com/docker/distribution
versions:
- fixed: 2.8.0+incompatible
vulnerable_at: 2.7.1+incompatible
packages:
- package: github.com/docker/distribution
symbols:
- UnmarshalManifest
summary: Type confusion in github.com/docker/distribution
description: |-
Systems that rely on digest equivalence for image attestations may be vulnerable
to type confusion.
A maliciously crafted OCI Container Image can cause registry clients to parse
the same image in two different ways without modifying the image's digest,
invalidating the common pattern of relying on container image digests for
equivalence.
This problem has been addressed in newer versions by improving validation in
manifest unmarshalling.
published: 2022-07-29T20:00:03Z
ghsas:
- GHSA-qq97-vm5h-rrhg
references:
- fix: https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586
review_status: REVIEWED