SYM_CONF_0235 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficient Verification of Data Authenticity
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-345: Insufficient Verification of Data Authenticity |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description
The ECR repository allows image tags to be changed after creation, meaning existing images can be silently replaced. Without setting 'image_tag_mutability' to 'IMMUTABLE', image tags are not protected from being overwritten.
Impact
If an attacker or unauthorized user can overwrite image tags, they could inject malicious code or replace trusted images with compromised versions. This could lead to code execution, supply chain attacks, or deployment of untrusted containers, putting applications and infrastructure at serious risk.