ECR registry with mutable tags can lead to code injection
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | HIGH | AWS | OTHER |
Description#
Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service.
Images in the registry can be referenced with tags. When a repository has mutable tags, an attacker with access to the registry could upload a compromised image, and assign to it the tag of an image used in production, so that the compromised image would be used instead.
Impact#
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | True | False | True |
Code injection.
Remediation guidelines#
Disable tag mutability on the registry.