Lucene search
K

12 matches found

OSV
OSV
added 2026/07/01 9:54 p.m.3 views

GHSA-VH4V-2XQ2-G5CG ORAS Go forwards registry credentials across registry redirects

ORAS Go forwards registry credentials across registry redirects Reporter / public credit: JUNYI LIU Summary ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects. There are two related paths: 1. A manifest or metadata...

6.9CVSS6.1AI score
Exploits0References4
OSV
OSV
added 2026/07/01 9:43 p.m.4 views

GHSA-8XWF-RJM4-XVHV oras-go has file store write outside workingDir via symlink traversal

The file content store in oras-go attempts to confine writes to workingDir when AllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. If workingDir contains a symlink path component and an attacker-controlled blob title via ocispec.AnnotationTitle...

6.9CVSS5.7AI score
Exploits0References3
OSV
OSV
added 2026/07/01 9:35 p.m.4 views

GHSA-JXPM-75MH-9FP7 oras-go blob upload vulnerable to credential forwarding via unvalidated Location header

Summary oras-go follows a registry-controlled Location header during the monolithic blob upload flow and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, oras-go can send the caller's credentials t...

7.5CVSS5.8AI score
Exploits0References5
OSV
OSV
added 2026/07/01 9:6 p.m.2 views

GHSA-XF85-363P-868W oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens

Summary oras-go's auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. The realm field is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint e....

2.1CVSS5.9AI score
Exploits0References4
OpenVAS
OpenVAS
added 2023/02/24 12:0 a.m.20 views

Fedora: Security Advisory for golang-oras-1 (FEDORA-2023-c9b2182a4e)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

7.5CVSS8.7AI score0.05623EPSS
Exploits0References2
OpenVAS
OpenVAS
added 2023/02/24 12:0 a.m.30 views

Fedora: Security Advisory for golang-oras-2 (FEDORA-2023-c9b2182a4e)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

7.5CVSS8.7AI score0.00818EPSS
Exploits0References2
Fedora
Fedora
added 2023/02/23 1:26 a.m.37 views

[SECURITY] Fedora 36 Update: golang-oras-1-1.2.1-1.fc36

ORAS Go library...

9.3CVSS8.1AI score0.05623EPSS
Exploits1
Fedora
Fedora
added 2023/02/23 12:45 a.m.36 views

[SECURITY] Fedora 38 Update: golang-oras-1-1.2.1-1.fc38

ORAS Go library...

9.3CVSS8.1AI score0.05623EPSS
Exploits1
OpenVAS
OpenVAS
added 2023/02/23 12:0 a.m.24 views

Fedora: Security Advisory for golang-oras-1 (FEDORA-2023-4e2068ba5d)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

7.5CVSS8.7AI score0.00818EPSS
Exploits0References2
OpenVAS
OpenVAS
added 2023/02/23 12:0 a.m.20 views

Fedora: Security Advisory for golang-oras-1 (FEDORA-2023-6550d9323b)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

7.5CVSS8.7AI score0.00818EPSS
Exploits0References2
OpenVAS
OpenVAS
added 2023/02/23 12:0 a.m.23 views

Fedora: Security Advisory for golang-oras-2 (FEDORA-2023-4e2068ba5d)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

7.5CVSS8.7AI score0.00818EPSS
Exploits0References2
OpenVAS
OpenVAS
added 2023/02/23 12:0 a.m.25 views

Fedora: Security Advisory for golang-oras-2 (FEDORA-2023-6550d9323b)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

8.7AI score
Exploits0References2
Rows per page
Query Builder