data/reports/GO-2022-0379.yaml - vulndb - Git at Google

 modules:
   - module: github.com/docker/distribution
     versions:
       - fixed: 2.8.0+incompatible
     vulnerable_at: 2.7.1+incompatible
     packages:
       - package: github.com/docker/distribution
         symbols:
           - UnmarshalManifest
 description: |
     Systems that rely on digest equivalence for image attestations may be
     vulnerable to type confusion.

     A maliciously crafted OCI Container Image can cause registry clients to
     parse the same image in two different ways without modifying the image's
     digest, invalidating the common pattern of relying on container image
     digests for equivalence.

     This problem has been addressed in newer versions by improving validation
     in manifest unmarshaling.
 published: 2022-07-29T20:00:03Z
 ghsas:
   - GHSA-qq97-vm5h-rrhg
 references:
   - fix: https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586
	modules:
	- module: github.com/docker/distribution
	versions:
	- fixed: 2.8.0+incompatible
	vulnerable_at: 2.7.1+incompatible
	packages:
	- package: github.com/docker/distribution
	symbols:
	- UnmarshalManifest
	description: \|
	Systems that rely on digest equivalence for image attestations may be
	vulnerable to type confusion.

	A maliciously crafted OCI Container Image can cause registry clients to
	parse the same image in two different ways without modifying the image's
	digest, invalidating the common pattern of relying on container image
	digests for equivalence.

	This problem has been addressed in newer versions by improving validation
	in manifest unmarshaling.
	published: 2022-07-29T20:00:03Z
	ghsas:
	- GHSA-qq97-vm5h-rrhg
	references:
	- fix: https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586