4 matches found
CVE-2026-55092 Trivy: Path traversal via a crafted vulnerability database or other downloaded artifacts
Trivy is a security scanner. Prior to 0.71.1, when Trivy downloads an OCI artifact, it uses the org.opencontainers.image.title annotation from the artifact manifest as the destination filename without validation. An attacker who can make Trivy fetch an attacker-controlled artifact can supply a...
GO-2025-4077 Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations in github.com/docker/compose
Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations in github.com/docker/compose...
CVE-2023-33959
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Use...
CVE-2023-33959 Verification bypass can cause users into verifying the wrong artifact
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Use...