CVE-2021-41190 log

Source
Severity Medium
Remote Yes
Type Insufficient validation
Description 
In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently.

The OCI Distribution Specification will be updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations.
Group Package Affected Fixed Severity Status Ticket
AVG-2593 singularity-container 3.8.4-1 3.8.5-1 Medium Fixed
AVG-2591 podman 3.4.2-1 3.4.4-1 Medium Fixed
AVG-2574 docker 1:20.10.10-1 1:20.10.11-1 Medium Fixed
AVG-2573 containerd 1.5.7-1 1.5.8-1 Medium Fixed
References 
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42
https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923
https://github.com/containerd/containerd/releases/tag/v1.5.8
https://github.com/moby/moby/releases/tag/v20.10.11
https://github.com/hpcng/singularity/releases/tag/v3.8.5
https://github.com/containers/podman/releases/tag/v3.4.3
Notes 
Workaround
==========

Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields.