Jonjohnsonjr

**Name of the Vulnerable Software and Affected Versions** OCI Distribution Specification versions 1.0.0 and prior **Description** The issue concerns the OCI Distribution Specification, which defines an API protocol for content distribution. In versions 1.0.0 and prior, the Content-Type header alone was used to determine the document type during push and pull operations. This could lead to ambiguous interpretations of documents containing both `manifests` and `layers` fields or `manifests` and `config` fields, especially if the Content-Type header changed between pulls of the same digest. The specification has been updated to require matching mediaType values and Content-Type headers. Clients may distrust the Content-Type header and reject ambiguous documents if they cannot update to version 1.0.1. **Recommendations** For OCI Distribution Specification versions 1.0.0 and prior, update to version 1.0.1 to ensure that mediaType values match the Content-Type header used during push and pull operations. As a temporary workaround, consider having clients distrust the Content-Type header and reject ambiguous documents that contain both `manifests` and `layers` fields or `manifests` and `config` fields until the update to version 1.0.1 is possible.