3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41190

GHSA ID

GHSA-mc8v-mgrf-8f4m

EPSS Score

0.42719%

CWE

CWE-843

Published

11/18/2021

Updated

2/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41190

CVE-2021-41190:
Clarify Content-Type handling

Impact

In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently.

Patches

The OCI Distribution Specification will be updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations.

Workarounds

Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields.

References

https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/opencontainers/distribution-spec/
Email us at security@opencontainers.org

(GitHub Advisory)

3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41190

GHSA ID

GHSA-mc8v-mgrf-8f4m

EPSS Score

0.42719%

CWE

CWE-843

Published

11/18/2021

Updated

2/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/opencontainers/distribution-spec	go	< 1.0.1	1.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from ambiguous interpretation of manifests/indexes based solely on Content-Type headers in the OCI Distribution Specification (spec.md), rather than specific code functions. The provided commit diff shows changes to documentation/specification requirements (clarifying mediaType/Content-Type alignment), not implementation code. The 'github.com/opencontainers/distribution-spec' package represents the specification document itself, not executable code with functions. Vulnerable behavior would manifest in implementations following the pre-1.0.1 spec guidance, but no specific functions are identifiable within the provided specification document context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In t** O*I *istri*ution Sp**i*i**tion v*rsion *.*.* *n* prior, t** *ont*nt-Typ* *****r *lon* w*s us** to **t*rmin* t** typ* o* *o*um*nt *urin* pus* *n* pull op*r*tions. *o*um*nts t**t *ont*in *ot* “m*ni**sts” *n* “l*y*rs” *i*l*s *oul* ** i

Reasoning

T** vuln*r**ility st*ms *rom *m*i*uous int*rpr*t*tion o* `m*ni**sts/in**x*s` **s** sol*ly on *ont*nt-Typ* *****rs in t** O*I *istri*ution Sp**i*i**tion (`sp**.m*`), r*t**r t**n sp**i*i* *o** *un*tions. T** provi*** *ommit *i** s*ows ***n**s to *o*um*

3

Basic Information

Concerned about an active attack path?

CVE-2021-41190: Clarify Content-Type handling

Impact

Patches

Workarounds

References

For more information

3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-41190:
Clarify Content-Type handling

Vulnerability Intelligence
Miggo AI