Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-20781

Artifactory can cache corrupt Docker blobs/layers

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 6.16.0
    • Fix Version/s: 7.19.1
    • Component/s: None
    • Labels:
    • Severity:
      High
    • Release Notes:
      Yes

      Description

      In case of a connection issue or a 200 response with wrong content-type/actual content during a docker pull, Artifactory might cache corrupted layers.
      It seems that Artifactory does not validate the checksum of the layer against the manifest.

      After an additional check, it seems that the manifest is protected and cannot be cached as corrupted but the layers themselves are vulnerable to that.

      Steps to reproduce:

      1. Pull a docker image from an Artifactory remote
      2. Configure a proxy between Artifactory and the remote server
      3. Either make the proxy return an invalid body for a blob endpoint or edit the Response content for one of the layers
      4. You will see Artifactory caches the corrupted layer

        Attachments

          Issue Links

            Activity

                People

                Assignee:
                barakh Barak Hacham
                Reporter:
                yonatanb Yonatan Brand
                Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Sync Status

                    Connection: RTFACT Sync
                    RTMID-20781 -
                    SYNCHRONIZED
                    • Last Sync Date: