CVE-2021-41190
Public on 2021-11-17
Modified on 2021-12-09
Description
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manifest or an index. In the OCI Image Specification version 1.0.1 there is specified a recommendation that both manifest and index documents contain a `mediaType` field to identify the type of document.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | containerd | 2021-11-17 | ALAS-2021-1551 | Fixed |
| Amazon Linux 2 - Docker Extra | containerd | 2021-11-17 | ALAS2DOCKER-2021-014 | Fixed |
| Amazon Linux 2 - Ecs Extra | containerd | 2023-11-09 | ALAS2ECS-2023-026 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2021-11-17 | ALAS2NITRO-ENCLAVES-2021-014 | Fixed |
| Amazon Linux 1 | docker | 2021-11-17 | ALAS-2021-1551 | Fixed |
| Amazon Linux 2 - Docker Extra | docker | 2021-11-17 | ALAS2DOCKER-2021-014 | Fixed |
| Amazon Linux 2 - Ecs Extra | docker | 2023-11-09 | ALAS2ECS-2023-025 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | docker | 2021-11-17 | ALAS2NITRO-ENCLAVES-2021-014 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N |
| Amazon Linux | CVSSv2 | 4.0 | AV:N/AC:L/Au:S/C:N/I:P/A:N |
| NVD | CVSSv3 | 3.0 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N |
| NVD | CVSSv2 | 4.0 | AV:N/AC:L/Au:S/C:N/I:P/A:N |