Type Confusion in OCI Distribution Specification

#VU58229 Type Confusion in OCI Distribution Specification

Published: 2021-11-18

Vulnerability identifier: #VU58229

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-41190

CWE-ID: CWE-843

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OCI Distribution Specification
Web applications / Modules and components for CMS

Vendor: Open Container Initiative

Description

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to a type confusion error. A remote authenticated attacker can pass specially crafted data to the application, trigger a type confusion error and interpret the resulting content differently.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

OCI Distribution Specification: 1.0.0

CPE

cpe:2.3:a:open_container_initiative:oci_distribution_specification:1.0.0:*:*:*:*:*:*:*

External links
http://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
http://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in OpenShift Container Platform 4.12

Type confusion in IBM CICS TX Standard

Type confusion in IBM CICS TX Advanced

SUSE update for podman

Red Hat Enterprise Linux 8 update for the container-tools:rhel8 module

Multiple vulnerabilities in OpenShift Container Platform 4.11

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Multiple vulnerabilities in DELL Secure Connect Gateway Security

Multiple vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes