| id: GO-2022-0379 |
| modules: |
| - module: github.com/docker/distribution |
| versions: |
| - fixed: 2.8.0+incompatible |
| vulnerable_at: 2.7.1+incompatible |
| packages: |
| - package: github.com/docker/distribution |
| symbols: |
| - UnmarshalManifest |
| summary: Type confusion in github.com/docker/distribution |
| description: |- |
| Systems that rely on digest equivalence for image attestations may be vulnerable |
| to type confusion. |
| |
| A maliciously crafted OCI Container Image can cause registry clients to parse |
| the same image in two different ways without modifying the image's digest, |
| invalidating the common pattern of relying on container image digests for |
| equivalence. |
| |
| This problem has been addressed in newer versions by improving validation in |
| manifest unmarshalling. |
| published: 2022-07-29T20:00:03Z |
| ghsas: |
| - GHSA-qq97-vm5h-rrhg |
| references: |
| - fix: https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586 |
| review_status: REVIEWED |