GHSA-qq97-vm5h-rrhg: 
vulnerability analysis and mitigation

The OCI Manifest Type Confusion Issue (GHSA-qq97-vm5h-rrhg) is a security vulnerability discovered in github.com/docker/distribution affecting versions prior to 2.8.0. The vulnerability was published on February 7, 2022, and stems from an oversight in the OCI Image Specification where the embedded mediaType field was removed from manifests. This vulnerability affects systems that rely on digest equivalence for image attestations (GitHub Advisory).

The vulnerability arises from a maliciously crafted OCI Container Image that can cause registry clients to parse the same image in two different ways without modifying the image's digest, achieved by modifying the Content-Type header returned by a registry. The vulnerability has been assigned a CVSS score of 3.0 (Low severity) with the following metrics: Attack Vector: Network, Attack Complexity: High, Privileges Required: Low, User Interaction: Required, Scope: Changed, Confidentiality: None, Integrity: Low, Availability: None (GitHub Advisory).

The primary impact of this vulnerability is that it can invalidate a common pattern of relying on container image digests for equivalence. Systems that depend on digest equivalence for image attestations may be vulnerable to type confusion, potentially compromising the integrity of container image verification processes (GitHub Advisory, Go Vulnerability).

Users are advised to upgrade to at least version 2.8.0-beta.1 if running a v2.x release. For those using code from the main branch, updating to a commit after b59a6f827947f9e0e67df0cfb571046de4733586 is recommended. There are no workarounds available without patching. The issue has been addressed in newer versions by improving validation in manifest unmarshalling (GitHub Advisory, Go Vulnerability).