### Impact
Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion.
### Patches
Upgrade to at least v2.8.0-beta.1
if you are running v2.x
release. If you use the code from the main
branch, update at least to the commit after b59a6f827947f9e0e67df0cfb571046de4733586.
### Workarounds
There is no way to work around this issue without patching.
### References
Due to an oversight in the OCI Image Specification that removed the embedded mediaType
field from manifests, a maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image’s digest by modifying the Content-Type
header returned by a registry. This can invalidate a common pattern of relying on container image digests for equivalence.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in distribution
* Open an issue in distribution-spec
* Email us at cncf-distribution-security@lists.cncf.io
Access of Resource Using Incompatible Type ('Type Confusion')
1.3
-
GHSA-qq97-vm5h-rrhg
-