Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2021-0427

Date: August 19, 2025

In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of containerd prior to 1.4.12 and 1.5.8 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.

Language: Go

Severity Score

Related Resources (9)

https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35
https://github.com/containerd/containerd/releases/tag/v1.5.8
https://github.com/containerd/containerd/commit/26c76a3014e71af5ad2f396ec76e0e0ecc8e25a3
https://github.com/containerd/containerd
https://github.com/containerd/containerd/commit/db00065a969a983ceb0a409833f93f705f284ea4
https://github.com/containerd/containerd/releases/tag/v1.4.12
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
https://www.mend.io/vulnerability-database/WS-2021-0427

Severity Score

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Access of Resource Using Incompatible Type ('Type Confusion')

CWE-843

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): LOW

Do you need more information?

Contact Us