Type Confusion in OCI Distribution Specification

#VU58229 Type Confusion in OCI Distribution Specification

Published: 2021-11-18 | Updated: 2023-05-01

Vulnerability identifier: #VU58229

Vulnerability risk: Low

CVSSv3.1: 2.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41190

CWE-ID: CWE-843

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OCI Distribution Specification
Web applications / Modules and components for CMS

Vendor: Open Container Initiative

Description

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to a type confusion error. A remote authenticated attacker can pass specially crafted data to the application, trigger a type confusion error and interpret the resulting content differently.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OCI Distribution Specification: 1.0.0

External links
http://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
http://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

Multiple vulnerabilities in IBM Edge Application Manager

Multiple vulnerabilities in OpenShift Container Platform 4.12

Type confusion in IBM CICS TX Standard

Type confusion in IBM CICS TX Advanced

SUSE update for podman

Red Hat Enterprise Linux 8 update for the container-tools:rhel8 module

Multiple vulnerabilities in Oracle Linux

Multiple vulnerabilities in OpenShift Container Platform 4.11