Insufficient Verification of Data Authenticity
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-345: Insufficient Verification of Data Authenticity |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The ECR repository allows image tags to be changed after creation, meaning existing images can be silently replaced. Without setting ‘image_tag_mutability’ to ‘IMMUTABLE’, image tags are not protected from being overwritten.
Impact#
If an attacker or unauthorized user can overwrite image tags, they could inject malicious code or replace trusted images with compromised versions. This could lead to code execution, supply chain attacks, or deployment of untrusted containers, putting applications and infrastructure at serious risk.