CVE-2021-41190
Clarify Content-Type handling in OCI spec
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.
El proyecto OCI Distribution Spec define un protocolo API para facilitar y estandarizar la distribución de contenidos. En la versión 1.0.0 de OCI Distribution Specification y anteriores, se utilizaba únicamente la cabecera Content-Type para determinar el tipo de documento durante las operaciones push y pull. Los documentos que contenían campos "manifiestos" y "capas" podían interpretarse como un manifiesto o un índice en ausencia de una cabecera Content-Type que los acompañara. Si una cabecera Content-Type cambiaba entre dos pulls del mismo compendio, un cliente podría interpretar el contenido resultante de forma diferente. La especificación de distribución de la OCI se ha actualizado para exigir que el valor de mediaType presente en un manifiesto o índice coincida con la cabecera Content-Type utilizada durante las operaciones push y pull. Los clientes que extraen de un registro pueden desconfiar de la cabecera Content-Type y rechazar un documento ambiguo que contenga campos "manifiestos" y "capas" o campos "manifiestos" y "config" si no pueden actualizarse a la versión 1.0.1 de la especificación
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manifest or an index. In the OCI Image Specification version 1.0.1 there is specified a recommendation that both manifest and index documents contain a `mediaType` field to identify the type of document.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-09-15 CVE Reserved
- 2021-11-17 CVE Published
- 2023-11-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CAPEC
References (13)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2021/11/19/10 | Mailing List |
|
| https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Open Container Initiative Distribution Specification Search vendor "Linuxfoundation" for product "Open Container Initiative Distribution Specification" | <= 1.0.0 Search vendor "Linuxfoundation" for product "Open Container Initiative Distribution Specification" and version " <= 1.0.0" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Open Container Initiative Image Format Specification Search vendor "Linuxfoundation" for product "Open Container Initiative Image Format Specification" | <= 1.0.1 Search vendor "Linuxfoundation" for product "Open Container Initiative Image Format Specification" and version " <= 1.0.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||