CVE-2021-41190

Name of the Vulnerable Software and Affected Versions OCI Distribution Specification versions 1.0.0 and prior

Description The issue concerns the OCI Distribution Specification, which defines an API protocol for content distribution. In versions 1.0.0 and prior, the Content-Type header alone was used to determine the document type during push and pull operations. This could lead to ambiguous interpretations of documents containing both manifests and layers fields or manifests and config fields, especially if the Content-Type header changed between pulls of the same digest. The specification has been updated to require matching mediaType values and Content-Type headers. Clients may distrust the Content-Type header and reject ambiguous documents if they cannot update to version 1.0.1.

Recommendations For OCI Distribution Specification versions 1.0.0 and prior, update to version 1.0.1 to ensure that mediaType values match the Content-Type header used during push and pull operations. As a temporary workaround, consider having clients distrust the Content-Type header and reject ambiguous documents that contain both manifests and layers fields or manifests and config fields until the update to version 1.0.1 is possible.