Skip to main content

ECR registry with mutable tags can lead to code injection

SeverityExploitabilityProvidersCategories
HIGHHIGHAWSOTHER

Description#

Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service.

Images in the registry can be referenced with tags. When a repository has mutable tags, an attacker with access to the registry could upload a compromised image, and assign to it the tag of an image used in production, so that the compromised image would be used instead.

Impact#

Potential data exposureVisible in logsUser interaction requiredPrivileges required
TrueTrueFalseTrue

Code injection.

Remediation guidelines#

Disable tag mutability on the registry.

References#