Low severity vulnerability was found in gomod github.com/containerd/containerd (go) .

Impact

In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of containerd prior to 1.4.12 and 1.5.8 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.

Patches

This issue has been fixed in containerd 1.4.12 and 1.5.8. Image pulls for manifests that contain a “manifests” field or indices which contain a “layers” field are rejected.

Workarounds

Ensure you only pull images from trusted sources.

References

GHSA-mc8v-mgrf-8f4m
GHSA-77vh-xpmg-72qh

References


Courtesy:https://github.com/advisories/GHSA-5j5w-g665-5m35

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *