x/vulndb: potential Go vuln in github.com/regclient/regclient: GHSA-qv35-3gw6-8q4j

[GoVulnBot]

Advisory GHSA-qv35-3gw6-8q4j references a vulnerability in the following Go modules:

Module
github.com/regclient/regclient

Description:

Impact

A malicious registry could return a different digest for a pinned manifest without detection.

Patches

This has been fixed in the v0.7.1 release.

Workarounds

After running a regclient.ManifestGet, the returned digest can be compared to the requested digest.

References:

• ADVISORY: GHSA-qv35-3gw6-8q4j
• ADVISORY: GHSA-qv35-3gw6-8q4j
• FIX: regclient/regclient@7d17cff

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/regclient/regclient
      versions:
        - fixed: 0.7.1
      vulnerable_at: 0.7.0
summary: In regclient, pinned manifest digests may be ignored in github.com/regclient/regclient
ghsas:
    - GHSA-qv35-3gw6-8q4j
references:
    - advisory: https://github.com/advisories/GHSA-qv35-3gw6-8q4j
    - advisory: https://github.com/regclient/regclient/security/advisories/GHSA-qv35-3gw6-8q4j
    - fix: https://github.com/regclient/regclient/commit/7d17cff26c22196b5ddd66bda8c5ee4abf3d1269
source:
    id: GHSA-qv35-3gw6-8q4j
    created: 2024-08-05T15:01:23.794178147Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports