GHSA-77vh-xpmg-72qh: 
vulnerability analysis and mitigation

The OCI Distribution Specification and Image Specification versions 1.0.0 and prior contained a vulnerability related to content-type confusion. The issue allowed documents containing both 'manifests' and 'layers' fields to be interpreted as either a manifest or an index based solely on the Content-Type header, potentially leading to different interpretations of the same content (GitHub Advisory, OSS Security).

The vulnerability stems from the specification's reliance on the Content-Type header alone to determine document type during push and pull operations. Documents with both 'manifests' and 'layers' fields could be ambiguously interpreted in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client might interpret the resulting content differently. The issue was assigned CVE-2021-41190 and received a CVSS score of 3.0 (Low severity) (GitHub Advisory).

The vulnerability could lead to type confusion where a container's manifest could masquerade as both an image-index or a manifest without modification to the digest, relying only on the HTTP Content-Type header provided by the registry. This ambiguity could potentially affect the security and reliability of container operations (OSS Security).

The issue was patched in OCI Image Specification v1.0.2 and Distribution Specification v1.0.1. The specifications were updated to require that mediaType values present in manifests or indexes match the Content-Type header used during push and pull operations. As a workaround, clients can reject ambiguous documents that contain both 'manifests' and 'layers' fields or 'manifests' and 'config' fields (GitHub Advisory).