3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-77vh-xpmg-72qh

EPSS Score

CWE

CWE-843

Published

11/18/2021

Updated

1/9/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-77vh-xpmg-72qh

GHSA-77vh-xpmg-72qh:
Clarify `mediaType` handling

Impact

In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index.

Patches

The Image Specification will be updated to recommend that both manifest and index documents contain a mediaType field to identify the type of document. Release v1.0.2 includes these updates.

Workarounds

Software attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields.

References

https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/opencontainers/image-spec
Email us at security@opencontainers.org
https://github.com/opencontainers/image-spec/commits/v1.0.2

(GitHub Advisory)

3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-77vh-xpmg-72qh

EPSS Score

CWE

CWE-843

Published

11/18/2021

Updated

1/9/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/opencontainers/image-spec	go	< 1.0.2	1.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from structural ambiguity in OCI document parsing rather than specific functions. The core issue is the absence of mandatory mediaType field in Index and Manifest structs in versions <1.0.2, leading to type confusion during deserialization. While the specs-go/v1/index.go and manifest.go struct definitions were modified to add MediaType fields, these are data structures rather than functions. The actual parsing vulnerability would manifest in JSON unmarshaling logic that processes these structs, but this is typically handled by Go's standard library encoding/json package rather than specific functions in the image-spec codebase. No specific functions in the package's code could be identified with high confidence as vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In t** O*I Im*** Sp**i*i**tion v*rsion *.*.* *n* prior, m*ni**st *n* in**x *o*um*nts *r* not s*l*-**s*ri*in* *n* *o*um*nts wit* * sin*l* *i**st *oul* ** int*rpr*t** *s *it**r * m*ni**st or *n in**x. ### P*t***s T** Im*** Sp**i*i**tion wil

Reasoning

T** vuln*r**ility st*ms *rom stru*tur*l *m*i*uity in O*I *o*um*nt p*rsin* r*t**r t**n sp**i*i* *un*tions. T** *or* issu* is t** **s*n** o* m*n**tory m**i*Typ* *i*l* in In**x *n* M*ni**st stru*ts in v*rsions <*.*.*, l***in* to typ* *on*usion *urin* **

3

Basic Information

Concerned about an active attack path?

GHSA-77vh-xpmg-72qh: Clarify `mediaType` handling

Impact

Patches

Workarounds

References

For more information

3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-77vh-xpmg-72qh:
Clarify `mediaType` handling

Vulnerability Intelligence
Miggo AI