Lucene search
K

15 matches found

Circl
Circl
added 2026/07/01 10:35 p.m.5 views

CVE-2026-50162

creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:09+00:00| published-proof-of-concept| https://github.com/oras-project/oras-go/security/advisories/GHSA-8xwf-rjm4-xvhv...

5.8AI score
Exploits0References1
Circl
Circl
added 2026/07/01 10:35 p.m.7 views

CVE-2026-50163

creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:07+00:00| published-proof-of-concept| https://github.com/oras-project/oras-go/security/advisories/GHSA-fxhp-mv3v-67qp...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/07/01 9:54 p.m.5 views

GHSA-VH4V-2XQ2-G5CG ORAS Go forwards registry credentials across registry redirects

ORAS Go forwards registry credentials across registry redirects Reporter / public credit: JUNYI LIU Summary ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects. There are two related paths: 1. A manifest or metadata...

6.9CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added 2026/07/01 9:48 p.m.4 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack through improper validation of hardlink targets during tar extraction. An attacker can access or modify files outside the intended extraction directory by crafting a malicious tarball with a hardlink entry whose target is...

7.1CVSS6AI score
Exploits0References3
OSV
OSV
added 2026/07/01 9:43 p.m.4 views

GHSA-8XWF-RJM4-XVHV oras-go has file store write outside workingDir via symlink traversal

The file content store in oras-go attempts to confine writes to workingDir when AllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. If workingDir contains a symlink path component and an attacker-controlled blob title via ocispec.AnnotationTitle...

6.9CVSS5.7AI score
Exploits0References3
OSV
OSV
added 2026/07/01 9:35 p.m.5 views

GHSA-JXPM-75MH-9FP7 oras-go blob upload vulnerable to credential forwarding via unvalidated Location header

Summary oras-go follows a registry-controlled Location header during the monolithic blob upload flow and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, oras-go can send the caller's credentials t...

7.5CVSS5.8AI score
Exploits0References5
OSV
OSV
added 2026/07/01 9:6 p.m.2 views

GHSA-XF85-363P-868W oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens

Summary oras-go's auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. The realm field is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint e....

2.1CVSS5.9AI score
Exploits0References4
OpenVAS
OpenVAS
added 2023/02/24 12:0 a.m.30 views

Fedora: Security Advisory for golang-oras-2 (FEDORA-2023-c9b2182a4e)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

7.5CVSS8.7AI score0.00818EPSS
Exploits0References2
OpenVAS
OpenVAS
added 2023/02/24 12:0 a.m.21 views

Fedora: Security Advisory for golang-oras-1 (FEDORA-2023-c9b2182a4e)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

9.3CVSS8.7AI score0.05623EPSS
Exploits1References2
Fedora
Fedora
added 2023/02/23 1:26 a.m.37 views

[SECURITY] Fedora 36 Update: golang-oras-1-1.2.1-1.fc36

ORAS Go library...

9.3CVSS8.1AI score0.05623EPSS
Exploits1
Fedora
Fedora
added 2023/02/23 12:45 a.m.36 views

[SECURITY] Fedora 38 Update: golang-oras-1-1.2.1-1.fc38

ORAS Go library...

9.3CVSS8.1AI score0.05623EPSS
Exploits1
OpenVAS
OpenVAS
added 2023/02/23 12:0 a.m.24 views

Fedora: Security Advisory for golang-oras-1 (FEDORA-2023-4e2068ba5d)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

7.5CVSS8.7AI score0.00818EPSS
Exploits0References2
OpenVAS
OpenVAS
added 2023/02/23 12:0 a.m.23 views

Fedora: Security Advisory for golang-oras-2 (FEDORA-2023-4e2068ba5d)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

7.5CVSS8.7AI score0.00818EPSS
Exploits0References2
OpenVAS
OpenVAS
added 2023/02/23 12:0 a.m.25 views

Fedora: Security Advisory for golang-oras-2 (FEDORA-2023-6550d9323b)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

8.7AI score
Exploits0References2
OpenVAS
OpenVAS
added 2023/02/23 12:0 a.m.20 views

Fedora: Security Advisory for golang-oras-1 (FEDORA-2023-6550d9323b)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

7.5CVSS8.7AI score0.00818EPSS
Exploits0References2
Rows per page
Query Builder