### Impact
In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index.
### Patches
The Image Specification will be updated to recommend that both manifest and index documents contain a mediaType field to identify the type of document.
Release v1.0.2 includes these updates.
### Workarounds
Software attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields.
### References
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
### For more information
If you have any questions or comments about this advisory:
* Open an issue in https://github.com/opencontainers/image-spec
* Email us at security@opencontainers.org
* https://github.com/opencontainers/image-spec/commits/v1.0.2
Access of Resource Using Incompatible Type ('Type Confusion')
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in