Impact
Currently the Artifact manifest in ORAS does not include a mediaType. This manifest currently doesn't have an issue with ambiguous but when composed with other OCI manifest which do not have the mediaType may lead to ambiguity.
related content from distribution security advisory that is currently in draft
"Type confusion" where a document can be both a valid OCI Manifest and Image-index, relying solely on the registry provided Content-Type: HTTP header.
Patches
none.
Workarounds
Similar to the distribution recommendation - clients should reject artifact manifests that contain other elements that make it ambiguous.
References
N/A
For more information
If you have any questions or comments about this advisory:
- Reach out to #oras channel on slack.cncf.io
Impact
Currently the Artifact manifest in ORAS does not include a mediaType. This manifest currently doesn't have an issue with ambiguous but when composed with other OCI manifest which do not have the mediaType may lead to ambiguity.
Patches
none.
Workarounds
Similar to the distribution recommendation - clients should reject artifact manifests that contain other elements that make it ambiguous.
References
N/A
For more information
If you have any questions or comments about this advisory: