GO-2022-0379

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0379

Import Source

https://vuln.go.dev/ID/GO-2022-0379.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2022-0379

Aliases

GHSA-qq97-vm5h-rrhg

Published

2022-07-29T20:00:03Z

Modified

2024-05-20T16:03:47Z

Summary

Type confusion in github.com/docker/distribution

Details

Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion.

A maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image's digest, invalidating the common pattern of relying on container image digests for equivalence.

This problem has been addressed in newer versions by improving validation in manifest unmarshalling.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0379"
}

References

https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586

Affected packages

Go / github.com/docker/distribution

Package

Name: github.com/docker/distribution; View open source insights on deps.dev
Purl: pkg:golang/github.com/docker/distribution

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8.0+incompatible

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/docker/distribution",
            "symbols": [
                "UnmarshalManifest"
            ]
        }
    ]
}