---

CVE-2021-41190 - log back

CVE-2021-41190 edited at 09 Dec 2021 21:49:47

References

https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42 https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923 https://github.com/containerd/containerd/releases/tag/v1.5.8 https://github.com/moby/moby/releases/tag/v20.10.11 https://github.com/hpcng/singularity/releases/tag/v3.8.5 + https://github.com/containers/podman/releases/tag/v3.4.3

CVE-2021-41190 edited at 29 Nov 2021 20:34:01

References

https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42 https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923 https://github.com/containerd/containerd/releases/tag/v1.5.8 https://github.com/moby/moby/releases/tag/v20.10.11 + https://github.com/hpcng/singularity/releases/tag/v3.8.5

CVE-2021-41190 edited at 19 Nov 2021 17:14:49
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Insufficient validation
Description	+ In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. + + The OCI Distribution Specification will be updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations.
References	+ https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m + https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh + https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42 + https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923 + https://github.com/containerd/containerd/releases/tag/v1.5.8 + https://github.com/moby/moby/releases/tag/v20.10.11
Notes	+ Workaround + ========== + + Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields.

CVE-2021-41190 created at 19 Nov 2021 17:09:42