Regclient Digest Validation Vulnerability in Docker and OCI Registry Client
Vulnerability
A vulnerability exists in regclient, a Docker and OCI Registry Client written in Go, prior to version 0.7.1. This issue allows a malicious registry to return a different digest for a pinned manifest, potentially leading to undetected manipulation. The vulnerability arises because the client may not properly validate the digest against the registry's response, allowing discrepancies to go unnoticed.
Impact
Exploitation of this vulnerability could result in the client accepting an incorrect digest for a manifest, which could be exploited by a malicious registry to alter the behavior of applications relying on that manifest.
Reproduction
To reproduce this vulnerability, use regclient versions prior to 0.7.1 and request a manifest from a registry that returns a different digest than the one originally pinned. The client will accept the incorrect digest without detection.
Remediation
Users can upgrade to regclient version 0.7.1 or later, where this vulnerability has been fixed. After upgrading, it is recommended to manually compare the returned digest with the requested one to ensure accuracy.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.