ALAS2NITRO-ENCLAVES-2021-014 --- containerdID: oval:org.secpod.oval:def:1700774 | Date: (C)2021-12-14 (M)2023-11-24 |
Class: PATCH | Family: unix |
In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby prior to 20.10.11 and versions of containerd prior to 1.4.12 and 1.5.8 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document , the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image