Skip to main content

ECR registry with mutable tags can lead to code injection

  • GG_ID: GG_IAC_0040
  • Severity: HIGH
  • Complexity: LOW
  • Categories: OTHER
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: True
  • User interaction required: False
  • Privileges required: True

Description#

Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service.

Images in the registry can be referenced with tags. When a repository has mutable tags, an attacker with access to the registry could upload a compromised image, and assign to it the tag of an image used in production, so that the compromised image would be used instead.

Impact#

Code injection.

Remediation guidelines#

Disable tag mutability on the registry.

External documentation#