data/reports/GO-2022-0379.yaml - vulndb - Git at Google

 id: GO-2022-0379
 modules:
     - module: github.com/docker/distribution
       versions:
         - fixed: 2.8.0+incompatible
       vulnerable_at: 2.7.1+incompatible
       packages:
         - package: github.com/docker/distribution
           symbols:
             - UnmarshalManifest
 summary: Type confusion in github.com/docker/distribution
 description: |-
     Systems that rely on digest equivalence for image attestations may be vulnerable
     to type confusion.

     A maliciously crafted OCI Container Image can cause registry clients to parse
     the same image in two different ways without modifying the image's digest,
     invalidating the common pattern of relying on container image digests for
     equivalence.

     This problem has been addressed in newer versions by improving validation in
     manifest unmarshalling.
 published: 2022-07-29T20:00:03Z
 ghsas:
     - GHSA-qq97-vm5h-rrhg
 references:
     - fix: https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586
	id: GO-2022-0379
	modules:
	- module: github.com/docker/distribution
	versions:
	- fixed: 2.8.0+incompatible
	vulnerable_at: 2.7.1+incompatible
	packages:
	- package: github.com/docker/distribution
	symbols:
	- UnmarshalManifest
	summary: Type confusion in github.com/docker/distribution
	description: \|-
	Systems that rely on digest equivalence for image attestations may be vulnerable
	to type confusion.

	A maliciously crafted OCI Container Image can cause registry clients to parse
	the same image in two different ways without modifying the image's digest,
	invalidating the common pattern of relying on container image digests for
	equivalence.

	This problem has been addressed in newer versions by improving validation in
	manifest unmarshalling.
	published: 2022-07-29T20:00:03Z
	ghsas:
	- GHSA-qq97-vm5h-rrhg
	references:
	- fix: https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586