GO-2026-4392 malcontent OCI image pull credential exfiltration via malicious registry token realm in github.com/chainguard-dev/malcontent

malcontent OCI image pull credential exfiltration via malicious registry token realm in github.com/chainguard-dev/malcontent...

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the OCI image pull process. An attacker can obtain sensitive authentication credentials by crafting a malicious registry that returns a WWW-Authenticate header redirecting token authentication to...

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the OCI image pull process. An attacker can obtain sensitive authentication credentials by crafting a malicious registry that returns a WWW-Authenticate header redirecting token authentication to...

EUVD-2024-1860

Malicious code in bioql PyPI...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to the improper validation of target registry domains during the token exchange process. An attacker can extract and misuse authentication tokens by directin...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to the improper validation of target registry domains during the token exchange process. An attacker can extract and misuse authentication tokens by directin...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to the improper validation of target registry domains during the token exchange process. An attacker can extract and misuse authentication tokens by directin...

Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries

Impact In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure Container Registry ACR. The Azure workload identity and Azure managed identity authentication providers are configured in this setup. Users that configure a private ACR to be used with the Azure...

SUSE CVE-2025-24882

regclient is a Docker and OCI Registry Client in Go. A malicious registry could return a different digest for a pinned manifest without detection. This vulnerability is fixed in 0.7.1...

CVE-2025-24882

A flaw was found in regclient. This issue can allow a malicious registry to return a different digest for a pinned manifest without detection via manipulated manifest responses. Mitigation Red Hat Product Security has not identified any applicable mitigations at this time...

regclient 数据伪造问题漏洞

regclient is a tool in the regclient open source. A data forgery issue vulnerability exists in versions of regclient prior to 0.7.1, which stems from the fact that a malicious registry may return a different summary of a fixed list without being detected...

Insufficient Verification Of Data Authenticity

github.com/regclient/regclient is vulnerable to Insufficient Verification Of Data Authenticity. The vulnerability is due to missing digest checks which allows a malicious registry to return a different digest for a pinned manifest without detection...

In regclient, pinned manifest digests may be ignored

Impact A malicious registry could return a different digest for a pinned manifest without detection. Patches This has been fixed in the v0.7.1 release. Workarounds After running a regclient.ManifestGet, the returned digest can be compared to the requested digest...

GHSA-QV35-3GW6-8Q4J In regclient, pinned manifest digests may be ignored

Impact A malicious registry could return a different digest for a pinned manifest without detection. Patches This has been fixed in the v0.7.1 release. Workarounds After running a regclient.ManifestGet, the returned digest can be compared to the requested digest...

Aqua Security Trivy < 0.51.2 Credential Leak (GHSA-xcq4-m2r3-cmrj)

The version of Aqua Security Trivy installed on the remote host is prior to 0.51.2. It is, therefore, affected by a vulnerability as referenced in the GHSA-xcq4-m2r3-cmrj advisory. - If a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could...

GO-2024-2870 Credential leakage in github.com/aquasecurity/trivy

A malicious registry can cause Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry ECR, Google Cloud Artifact/Container Registry, or Azure Container Registry ACR if the registry is scanned from directly using Trivy. These tokens can then be used to push/pull...

CVE-2024-35192 Trivy possibly leaks registry credential when scanning images from malicious registries

Trivy is a security scanner. Prior to 0.51.2, if a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry ECR, Google Cloud Artifact/Contain...

GO-2024-2667 Out of memory crash from malicious Helm registry in github.com/argoproj/argo-cd/v2

Out of memory crash from malicious Helm registry in github.com/argoproj/argo-cd/v2...