GHSA-5j5w-g665-5m35

Suggest an improvement
Source
https://github.com/advisories/GHSA-5j5w-g665-5m35
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-5j5w-g665-5m35/GHSA-5j5w-g665-5m35.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5j5w-g665-5m35
Published
2021-11-18T16:08:58Z
Modified
2023-03-30T14:50:04Z
Severity
  • CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
Summary
Ambiguous OCI manifest parsing
Details

Impact

In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of containerd prior to 1.4.12 and 1.5.8 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.

Patches

This issue has been fixed in containerd 1.4.12 and 1.5.8. Image pulls for manifests that contain a “manifests” field or indices which contain a “layers” field are rejected.

Workarounds

Ensure you only pull images from trusted sources.

References

https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh

For more information

If you have any questions or comments about this advisory: * Open an issue in containerd * Email us at security@containerd.io

References

Affected packages

Go / github.com/containerd/containerd

Package

Name
github.com/containerd/containerd
View open source insights on deps.dev
Purl
pkg:golang/github.com/containerd/containerd

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.4.12

Go / github.com/containerd/containerd

Package

Name
github.com/containerd/containerd
View open source insights on deps.dev
Purl
pkg:golang/github.com/containerd/containerd

Affected ranges

Type
SEMVER
Events
Introduced
1.5.0
Fixed
1.5.8