Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Clarify Content-Type handling in OCI spec
Vulnerability Description
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
Vulnerability Type
使用不兼容类型访问资源(类型混淆)
Vulnerability Title
Oci Distribution-Spec 代码问题漏洞
Vulnerability Description
Oci Distribution-Spec是一个 Oci 分发规范。 Oci Distribution-Spec 存在代码问题漏洞,该漏洞源于产品使用Content-Type头来判断文档类型以及其他操作。攻击者可通过该漏洞导致文本内容改变。以下产品及版本受到影响:OCI Distribution Specification 1.0.1 之前版本。
CVSS Information
N/A
Vulnerability Type
N/A