Lucene search
+L

26 matches found

OSV
OSV
added 2026/06/25 6:43 p.m.3 views

GO-2026-5185 Distribution's tag deletion bypasses `storage.delete.enabled` configuration in github.com/distribution/distribution

Distribution's tag deletion bypasses storage.delete.enabled configuration in github.com/distribution/distribution...

6.5CVSS5.8AI score0.00294EPSS
Exploits1References2
OSV
OSV
added 2026/06/01 10:42 a.m.5 views

SUSE-SU-2026:21881-1 Security update for helm

This update for helm fixes the following issues - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265758. - CVE-2026-41888: github.com/distribution/distribution/v3: tag deletion bypasses the storage.delete.enabled configuration...

7.5CVSS5.8AI score0.00781EPSS
Exploits1References5
SUSE Linux
SUSE Linux
added 2026/05/25 1:58 p.m.16 views

Security update for helm

This update for helm fixes the following issues Security issues: CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265758. CVE-2026-41888: github.com/distribution/distribution/v3: tag deletion bypasses the storage.delete.enabled...

7.5CVSS5.8AI score0.00781EPSS
Exploits1References10
Veracode
Veracode
added 2026/05/23 5:35 a.m.8 views

Path Traversal

github.com/openclaw/crabbox is vulnerable to path traversal. The vulnerability is due to improper validation of workspace path resolution in the Islo provider, which allows an attacker to supply crafted absolute or relative paths through a malicious .crabbox.yaml or crabbox.yaml file to perform...

7.1CVSS6AI score0.00144EPSS
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 4:53 p.m.9 views

CVE-2026-41888

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has...

6.3CVSS5.8AI score0.00294EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/14 4:53 p.m.9 views

CVE-2026-41888 Distribution: Tag deletion bypasses `storage.delete.enabled` configuration

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has...

6.3CVSS5.8AI score0.00294EPSS
Exploits1References1
CVE
CVE
added 2026/05/14 4:53 p.m.29 views

CVE-2026-41888

CVE-2026-41888 affects the Distribution toolkit (prior to v3.1.1). The issue is that DELETE /v2//manifests/ can bypass storage.delete.enabled: false, letting API clients remove tags from repositories even when deletion is disabled. Impact: unauthorized tag deletions. Remediation: upgrade to v3.1....

6.5CVSS5.8AI score0.00294EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/05/14 4:53 p.m.3 views

CVE-2026-41888 Distribution: Tag deletion bypasses `storage.delete.enabled` configuration

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has...

6.3CVSS6.6AI score0.00294EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/05/12 8:21 p.m.11 views

CVE-2026-45224

Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or crabbox.yaml file with...

7.1CVSS5.9AI score0.00144EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/04 8:48 p.m.7 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through the DeleteManifest process. An attacker can remove tags from repositories by sending a DELETE request to the relevant API endpoint, even when deletion has been explicitly disabled in the configuration. Th...

6.5CVSS5.7AI score0.00294EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/05/04 8:48 p.m.12 views

Distribution's tag deletion bypasses `storage.delete.enabled` configuration

Summary Tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. Details When storage.delete.enabled is configured to false,...

6.5CVSS5.8AI score0.00294EPSS
Exploits1References3Affected Software2
OSV
OSV
added 2026/05/04 8:48 p.m.18 views

GHSA-6PJF-3R9X-M592 Distribution's tag deletion bypasses `storage.delete.enabled` configuration

Summary Tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even when the operator has explicitly disabled deletion. Details When storage.delete.enabled is configured to false,...

6.3CVSS5.8AI score0.00294EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/05/04 12:0 a.m.13 views

PT-2026-37158

Name of the Vulnerable Software and Affected Versions Distribution versions prior to 3.1.1 Description An authorization bypass exists where tag deletion via the "/v2//manifests/" endpoint ignores the storage.delete.enabled: false configuration. This allows any API client to remove tags from...

6.5CVSS5.8AI score0.00294EPSS
Exploits1References45
SUSE CVE
SUSE CVE
added 2026/04/14 11:25 p.m.5 views

SUSE CVE-2026-35172

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

7.5CVSS5.8AI score0.00455EPSS
Exploits1References5
OSV
OSV
added 2026/04/06 8:16 p.m.2 views

DEBIAN-CVE-2026-35172

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

7.5CVSS5.3AI score0.00455EPSS
Exploits1References1
NVD
NVD
added 2026/04/06 8:16 p.m.6 views

CVE-2026-35172

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

7.5CVSS0.00455EPSS
Exploits1References10
UbuntuCve
UbuntuCve
added 2026/04/06 8:16 p.m.5 views

CVE-2026-35172

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

7.5CVSS5.9AI score0.00455EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/06 8:13 p.m.3 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the possibility to restore read access in repo a after an explicit delete when both storage.cache.blobdescriptor: redis and storage.delete.enabled: true are enabled. An attacker can regain unauthorized read...

8.7CVSS5.9AI score0.00455EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/06 8:13 p.m.6 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the possibility to restore read access in repo a after an explicit delete when both storage.cache.blobdescriptor: redis and storage.delete.enabled: true are enabled. An attacker can regain unauthorized read...

8.7CVSS5.9AI score0.00455EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/06 7:8 p.m.7 views

CVE-2026-35172

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared dige...

7.5CVSS5.9AI score0.00455EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder