Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 19 Nov 2021 10:18:20 -0500
From: Vincent Batts <>
Subject: CVE-2021-41190 OCI distribution and image spec: "content-type"

Severity: MEDIUM (moderate in Github GHSA)


The specifications themselves needed additional clarification so that
implementations of container registries, and the clients that parse data
received from registries can have more securely defined behavior.

The undefined behavior this advisory addresses is a "type confusion"
where a JSON document for a container's manifest could masquerade as
both an image-index or a manifest without modification to the digest,
relying only on the HTTP `Content-type` header provided by the registry.

This behavior would have been mitigated by the presence of the
`mediaType` field in these JSON documents. As such a notable, but
non-breaking change introduced in these releases is un-reserving the
`mediaType` field for use, and actively encouraging it's use.

Advisory links:

Release links:


Software attempting to deserialize an ambiguous document may reject the
document if it contains both “manifests” and “layers” fields or
“manifests” and “config” fields.

Expect releases of container clients that can fetch from registries, as
well as registries themselves.

Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.