ECR registry with mutable tags can lead to code injection
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | AWS | OTHER |
Description
Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service.
Images in the registry can be referenced with tags. When a repository has mutable tags, an attacker with access to the registry could upload a compromised image, and assign to it the tag of an image used in production, so that the compromised image would be used instead.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | True | False | True |
Code injection.
Remediation guidelines
Disable tag mutability on the registry.