GHSA-xmmx-7jpf-fx42
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xmmx-7jpf-fx42
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-xmmx-7jpf-fx42/GHSA-xmmx-7jpf-fx42.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xmmx-7jpf-fx42
- Aliases
- Related
- Published
- 2024-06-10T18:39:03Z
- Modified
- 2024-07-05T20:52:27Z
- Summary
- Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing
- Details
-
Impact
In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.
Patches
This issue has been fixed in Moby (Docker Engine) 20.10.11. Image pulls for manifests that contain a “manifests” field or indices which contain a “layers” field are rejected.
Workarounds
Ensure you only pull images from trusted sources.
References
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
For more information
If you have any questions or comments about this advisory: * Open an issue in * Email us at security@docker.com
- References
Affected packages
Go / github.com/docker/docker
Package
- Name
- github.com/docker/docker
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/docker/docker
Go / github.com/moby/moby
Package
- Name
- github.com/moby/moby
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/moby/moby