A malicious registry could return a different digest for a pinned manifest without detection.
This has been fixed in the v0.7.1 release.
After running a regclient.ManifestGet
, the returned digest can be compared to the requested digest.
{ "nvd_published_at": null, "cwe_ids": [ "CWE-345" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-08-05T14:46:22Z" }