Detections
Analytics
Alpine: multiple containerd packages: security update to 1.5.7-r0 (deprecated)
medium Tenable Cloud Security Plugin ID 400009
Description
There are packages installed that are affected by a vulnerability referenced in the following CVE:- The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution
of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone
was used to determine the type of document during push and pull operations. Documents that contain both
“manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an
accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a
client may interpret the resulting content differently. The OCI Distribution Specification has been
updated to require that a mediaType value present in a manifest or index match the Content-Type header
used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type
header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests”
and “config” fields if they are unable to update to version 1.0.1 of the spec. (CVE-2021-41190)
See Also
https://git.alpinelinux.org/aports/commit/?id=07d09b6b5ad77209412ee42fc7447e1fa30b3214
https://git.alpinelinux.org/aports/commit/?id=781eb0361e231a6bf47b4a1980c6c487e112da55
Plugin Details
Severity: Medium
ID: 400009
Version: Revision 1.27
Type: Local
Published: 1/31/2022
Updated: 8/13/2024
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
VPR
Risk Factor: Low
Score: 1.6
CVSS v2
Risk Factor: Medium
Base Score: 4
Temporal Score: 3
Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS Score Source: CVE-2021-41190
CVSS v3
Risk Factor: Medium
Base Score: 5
Temporal Score: 4.4
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Patch Publication Date: 11/19/2021
Vulnerability Publication Date: 11/17/2021
Reference Information
CVE: CVE-2021-41190