ECR registry with mutable tags can lead to code injection
- GG_ID: GG_IAC_0040
- Severity: HIGH
- Complexity: LOW
- Categories: OTHER
- Providers: AWS
- Potential data exposure: True
- Visible in logs: True
- User interaction required: False
- Privileges required: True
#
DescriptionAmazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service.
Images in the registry can be referenced with tags. When a repository has mutable tags, an attacker with access to the registry could upload a compromised image, and assign to it the tag of an image used in production, so that the compromised image would be used instead.
#
ImpactCode injection.
#
Remediation guidelinesDisable tag mutability on the registry.