Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-xmmx-7jpf-fx42: Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing

Impact

In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.

Patches

This issue has been fixed in Moby (Docker Engine) 20.10.11. Image pulls for manifests that contain a “manifests” field or indices which contain a “layers” field are rejected.

Workarounds

Ensure you only pull images from trusted sources.

References

https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh

For more information

If you have any questions or comments about this advisory:

ghsa
#git#docker
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-xmmx-7jpf-fx42

Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing

Moderate severity GitHub Reviewed Published Nov 18, 2021 in moby/moby • Updated Jun 10, 2024

Package

gomod github.com/docker/docker (Go)

Affected versions

< 20.10.11

Patched versions

20.10.11

Impact

In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.

Patches

This issue has been fixed in Moby (Docker Engine) 20.10.11. Image pulls for manifests that contain a “manifests” field or indices which contain a “layers” field are rejected.

Workarounds

Ensure you only pull images from trusted sources.

References

GHSA-mc8v-mgrf-8f4m
GHSA-77vh-xpmg-72qh

For more information

If you have any questions or comments about this advisory:

References

  • GHSA-xmmx-7jpf-fx42

Published to the GitHub Advisory Database

Jun 10, 2024

Last updated

Jun 10, 2024

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP