CVE-2021-41190 log

Severity Medium
Remote Yes
Type Insufficient validation
In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently.

The OCI Distribution Specification will be updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations.
Group Package Affected Fixed Severity Status Ticket
AVG-2593 singularity-container 3.8.4-1 3.8.5-1 Medium Fixed
AVG-2591 podman 3.4.2-1 3.4.4-1 Medium Fixed
AVG-2574 docker 1:20.10.10-1 1:20.10.11-1 Medium Fixed
AVG-2573 containerd 1.5.7-1 1.5.8-1 Medium Fixed

Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields.