15 matches found
CVE-2026-50162
creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:09+00:00| published-proof-of-concept| https://github.com/oras-project/oras-go/security/advisories/GHSA-8xwf-rjm4-xvhv...
CVE-2026-50163
creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:07+00:00| published-proof-of-concept| https://github.com/oras-project/oras-go/security/advisories/GHSA-fxhp-mv3v-67qp...
GHSA-VH4V-2XQ2-G5CG ORAS Go forwards registry credentials across registry redirects
ORAS Go forwards registry credentials across registry redirects Reporter / public credit: JUNYI LIU Summary ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects. There are two related paths: 1. A manifest or metadata...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack through improper validation of hardlink targets during tar extraction. An attacker can access or modify files outside the intended extraction directory by crafting a malicious tarball with a hardlink entry whose target is...
GHSA-8XWF-RJM4-XVHV oras-go has file store write outside workingDir via symlink traversal
The file content store in oras-go attempts to confine writes to workingDir when AllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. If workingDir contains a symlink path component and an attacker-controlled blob title via ocispec.AnnotationTitle...
GHSA-JXPM-75MH-9FP7 oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
Summary oras-go follows a registry-controlled Location header during the monolithic blob upload flow and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, oras-go can send the caller's credentials t...
GHSA-XF85-363P-868W oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
Summary oras-go's auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. The realm field is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint e....
Fedora: Security Advisory for golang-oras-2 (FEDORA-2023-c9b2182a4e)
The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Fedora: Security Advisory for golang-oras-1 (FEDORA-2023-c9b2182a4e)
The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
[SECURITY] Fedora 36 Update: golang-oras-1-1.2.1-1.fc36
ORAS Go library...
[SECURITY] Fedora 38 Update: golang-oras-1-1.2.1-1.fc38
ORAS Go library...
Fedora: Security Advisory for golang-oras-1 (FEDORA-2023-4e2068ba5d)
The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Fedora: Security Advisory for golang-oras-2 (FEDORA-2023-4e2068ba5d)
The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Fedora: Security Advisory for golang-oras-2 (FEDORA-2023-6550d9323b)
The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Fedora: Security Advisory for golang-oras-1 (FEDORA-2023-6550d9323b)
The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...