CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
EPSS
Percentile
48.7%
Issue Overview:
In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 and versions of containerd prior to 1.4.12 and 1.5.8 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image. (CVE-2021-41190)
Affected Packages:
containerd, docker
Issue Correction:
Run yum update containerd to update your system.
Run yum update docker to update your system.
New Packages:
src:
containerd-1.4.6-7.11.amzn1.src
docker-20.10.7-5.76.amzn1.src
x86_64:
containerd-stress-1.4.6-7.11.amzn1.x86_64
containerd-1.4.6-7.11.amzn1.x86_64
containerd-debuginfo-1.4.6-7.11.amzn1.x86_64
docker-20.10.7-5.76.amzn1.x86_64
docker-debuginfo-20.10.7-5.76.amzn1.x86_64
Red Hat: CVE-2021-41190
Mitre: CVE-2021-41190
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | x86_64 | containerd-stress | < 1.4.6-7.11.amzn1 | containerd-stress-1.4.6-7.11.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | containerd | < 1.4.6-7.11.amzn1 | containerd-1.4.6-7.11.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | containerd-debuginfo | < 1.4.6-7.11.amzn1 | containerd-debuginfo-1.4.6-7.11.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | docker | < 20.10.7-5.76.amzn1 | docker-20.10.7-5.76.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | docker-debuginfo | < 20.10.7-5.76.amzn1 | docker-debuginfo-20.10.7-5.76.amzn1.x86_64.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
EPSS
Percentile
48.7%