Vulnerability Report: GO-2022-0379

GHSA-qq97-vm5h-rrhg
Affects: github.com/docker/distribution
Published: Jul 29, 2022
Modified: May 20, 2024

Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion. A maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image's digest, invalidating the common pattern of relying on container image digests for equivalence. This problem has been addressed in newer versions by improving validation in manifest unmarshalling.

Affected Packages

Path

Go Versions

Symbols
github.com/docker/distribution

before v2.8.0+incompatible
- UnmarshalManifest

Aliases

GHSA-qq97-vm5h-rrhg

References

https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586
https://vuln.go.dev/ID/GO-2022-0379.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL