Low severity vulnerability was found in gomod github.com/opencontainers/image-spec (go) .

Impact

In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index.

Patches

The Image Specification will be updated to recommend that both manifest and index documents contain a mediaType field to identify the type of document.

Workarounds

Software attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields.

References

GHSA-mc8v-mgrf-8f4m

References


Courtesy:https://github.com/advisories/GHSA-77vh-xpmg-72qh

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *