CVE-2021-41190 — Type Confusion in Distribution-spec

CWE-843 — Type Confusion5 documents4 sources

Severity

5.0MEDIUMNVD

EPSS

0.4%

top 39.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opencontainers Distribution-spec Github.com Opencontainers Distribution-spec Containerd +3 more

Timeline

PublishedNov 17

Latest updateNov 18

Description

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages5 packages

▶NVDlinuxfoundation/open_container_initiative_distribution_specification1.0.0

▶CVEListV5opencontainers/distribution-spec< 1.0.1

▶Gogithub.com/opencontainers_distribution-spec< 1.0.1

▶NVDlinuxfoundation/open_container_initiative_image_format_specification1.0.1

▶Ubuntucontainerd/containerd< 1.5.9-0ubuntu1~18.04.1+2

Also affects: Fedora 34, 35

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Clarify Content-Type handling↗2021-11-18

▶

OSV

Clarify Content-Type handling↗2021-11-18

▶

OSV

CVE-2021-41190: The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content↗2021-11-17

▶

📋Vendor Advisories

Red Hat

opencontainers: OCI manifest and index parsing confusion↗2021-11-17

▶