GHSA-85JX-FM8M-X8C6 zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required)

zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the tag already exists and reference != "latest". as a result, when latest already exists, a user who is allowed to create but not allowe...

Linux Distros Unpatched Vulnerability : CVE-2021-41190

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification versi...

RHEL 8 : cri-o (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - proglottis/gpgme: Use-after-free in GPGME bindings during container image pull CVE-2020-8945 - The OCI...

Medium: containerd

Issue Overview: The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manife...

Rocky Linux 8 : container-tools:rhel8 (RLSA-2022:7457)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:7457 advisory. - runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 whe...

SUSE SLES15 Security Update : podman (SUSE-SU-2023:0326-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0326-1 advisory. - Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 including from remote hosts. This...

SUSE SLES15 / openSUSE 15 Security Update : podman (SUSE-SU-2023:0187-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0187-1 advisory. - Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 including from remot...

AlmaLinux 8 : container-tools:rhel8 (ALSA-2022:7457)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:7457 advisory. golang: net/http/httputil: panic due to racy read of persistConn after handler panic CVE-2021-36221 cri-o: memory exhaustion on the node when access to th...

EulerOS 2.0 SP5 : docker-engine (EulerOS-SA-2022-2706)

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distributi...

EulerOS 2.0 SP10 : docker-engine (EulerOS-SA-2022-2240)

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby Docker Engine where attempti...

EulerOS 2.0 SP10 : docker-engine (EulerOS-SA-2022-2253)

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby Docker Engine where attempti...

EulerOS 2.0 SP8 : docker-engine (EulerOS-SA-2022-2218)

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby Docker Engine where attempti...

GHSA-QQ97-VM5H-RRHG OCI Manifest Type Confusion Issue

Impact Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion. Patches Upgrade to at least v2.8.0-beta.1 if you are running v2.x release. If you use the code from the main branch, update at least to the commit after...

SUSE SLES15 Security Update : containerd, docker (SUSE-SU-2022:0334-1)

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0334-1 advisory. - Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby Docker Engine where attempting ...

openSUSE 15 Security Update : singularity (openSUSE-SU-2021:1525-1)

The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE-SU-2021:1525-1 advisory. - The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution...

MGASA-2021-0531 Updated docker-containerd packages fix security vulnerability

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents...

CVE-2021-41190

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manifest or an index. ...

Clarify `mediaType` handling

Impact In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index. Patches The Image Specification will be updated to recommend that both manifest and index...

Incorrect Content-type Handling

github.com/opencontainers/distribution-spec is handling content-type incorrectly. Type of the manifest during the push and pull operations was wrongly determined as it uses only Content-Type header, causing a client to interpret the resulting content differently...

Amazon Linux AMI : containerd, docker (ALAS-2021-1551)

The version of containerd installed on the remote host is prior to 1.4.6-7.11. The version of docker installed on the remote host is prior to 20.10.7-5.76. It is, therefore, affected by a vulnerability as referenced in the ALAS-2021-1551 advisory. In the OCI Distribution Specification version 1.0...