Lucene search
K

57 matches found

RedhatCVE
RedhatCVE
added yesterday4 views

CVE-2026-48978

A flaw was found in oras-go. The auth.Client in oras-go does not properly validate the scheme or host of the realm URL provided in a registry's WWW-Authenticate: Bearer challenge. A remote attacker, operating a malicious registry or performing a man-in-the-middle attack, could exploit this to...

3.1CVSS6AI score
Exploits0References4
Chainguard
Chainguard
added 4 days ago9 views

CVE-2026-50163 vulnerabilities

Vulnerabilities for packages: consul-k8s, oras-fips, oras, consul-k8s-fips, ratify, ratify-fips...

6.1AI score
Exploits0
Chainguard
Chainguard
added 4 days ago12 views

GHSA-FXHP-MV3V-67QP vulnerabilities

Vulnerabilities for packages: consul-k8s, oras-fips, oras, consul-k8s-fips, ratify, ratify-fips...

6.1AI score
Exploits0
Wolfi
Wolfi
added 4 days ago13 views

CVE-2026-50163 vulnerabilities

Vulnerabilities for packages: oras, consul-k8s, ratify...

6.1AI score
Exploits0
Wolfi
Wolfi
added 4 days ago11 views

GHSA-FXHP-MV3V-67QP vulnerabilities

Vulnerabilities for packages: oras, consul-k8s, ratify...

6.1AI score
Exploits0
Circl
Circl
added 2026/07/01 10:35 p.m.9 views

CVE-2026-50151

creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:11+00:00| published-proof-of-concept| https://github.com/oras-project/oras-go/security/advisories/GHSA-jxpm-75mh-9fp7...

5.8AI score
Exploits0References1
Circl
Circl
added 2026/07/01 10:35 p.m.7 views

CVE-2026-50162

creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:09+00:00| published-proof-of-concept| https://github.com/oras-project/oras-go/security/advisories/GHSA-8xwf-rjm4-xvhv...

5.8AI score
Exploits0References1
Circl
Circl
added 2026/07/01 10:35 p.m.14 views

CVE-2026-50163

creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:07+00:00| published-proof-of-concept| https://github.com/oras-project/oras-go/security/advisories/GHSA-fxhp-mv3v-67qp...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/07/01 9:54 p.m.6 views

GHSA-VH4V-2XQ2-G5CG ORAS Go forwards registry credentials across registry redirects

ORAS Go forwards registry credentials across registry redirects Reporter / public credit: JUNYI LIU Summary ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects. There are two related paths: 1. A manifest or metadata...

6.9CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added 2026/07/01 9:48 p.m.4 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack through improper validation of hardlink targets during tar extraction. An attacker can access or modify files outside the intended extraction directory by crafting a malicious tarball with a hardlink entry whose target is...

7.1CVSS6AI score
Exploits0References3
OSV
OSV
added 2026/07/01 9:48 p.m.5 views

GHSA-FXHP-MV3V-67QP `oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution

Root cause The tar-extraction helper ensureLinkPath at content/file/utils.go:262-275 validates that a hardlink's target resolves inside the extract base, but then returns the original unresolved target string back to the caller: go func ensureLinkPathbaseAbs, baseRel, link, target string string,...

7.1CVSS6AI score
Exploits0References3
OSV
OSV
added 2026/07/01 9:43 p.m.4 views

GHSA-8XWF-RJM4-XVHV oras-go has file store write outside workingDir via symlink traversal

The file content store in oras-go attempts to confine writes to workingDir when AllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. If workingDir contains a symlink path component and an attacker-controlled blob title via ocispec.AnnotationTitle...

6.9CVSS5.7AI score
Exploits0References3
OSV
OSV
added 2026/07/01 9:35 p.m.5 views

GHSA-JXPM-75MH-9FP7 oras-go blob upload vulnerable to credential forwarding via unvalidated Location header

Summary oras-go follows a registry-controlled Location header during the monolithic blob upload flow and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, oras-go can send the caller's credentials t...

7.5CVSS5.8AI score
Exploits0References5
Snyk
Snyk
added 2026/07/01 9:35 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the blobStore.completePushAfterInitialPost process. An attacker can obtain sensitive credentials by manipulating the Location header to redirect requests to an attacker-controlled endpoint, causing t...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/01 9:35 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the blobStore.completePushAfterInitialPost process. An attacker can obtain sensitive credentials by manipulating the Location header to redirect requests to an attacker-controlled endpoint, causing t...

8.7CVSS6AI score
Exploits0References2
OSV
OSV
added 2026/07/01 9:6 p.m.4 views

GHSA-XF85-363P-868W oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens

Summary oras-go's auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. The realm field is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint e....

2.1CVSS5.9AI score
Exploits0References4
vulnersOsv
vulnersOsv
added 2026/05/19 3:47 p.m.6 views

io.debezium:debezium-platform-conductor (>=3.5.0.CR1 <=3.6.0.Beta1), io.jenkins.plugins:jobcacher-oras-storage (>=8.vc4686b_899f53 <=144.vb_727c9b_7d229) +9 more potentially affected by unknown CVE via land.oras:oras-java-sdk (>=0.2.0 <=0.6.1)

land.oras:oras-java-sdk MAVEN version =0.2.0, =3.5.0.CR1, =8.vc4686b899f53, =0.2.0-4.vc50576b371f6, =7.v5b3e89ff2fca, =8.v5d229eba22c5, =5.v2bc0b458b8b2, =0.0.1, =0.0.1, =0.2.0, =0.2.0, =0.1.0, =0.1.1 Source cves: unknown CVE Source advisory: OSV:GHSA-XM96-GFJX-JCRC...

5.5AI score
Exploits0
Wolfi
Wolfi
added 2026/04/11 2:51 a.m.10 views

GHSA-FV83-X2XW-2J55 vulnerabilities

Vulnerabilities for packages: grafana-rollout-operator, github-mcp-server, oras, spire-server, metacontroller, supercronic, kubewatch, clickhouse-operator, mariadb-operator, secrets-store-csi-driver-provider-aws, apko, goreleaser, newrelic-k8s-metadata-injection, grafana-operator,...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/04/11 2:51 a.m.12 views

CVE-2026-32281 vulnerabilities

Vulnerabilities for packages: kubewatch, apko, gitaly, terraform-provider-tls, k8sgpt-operator, opensearch-k8s-operator, kubescape, conjur-cli, dask-gateway, apache-exporter, prometheus-blackbox-exporter, kubernetes-replicator, http-echo, crossplane-provider-azure-authorization, q, fscrypt,...

7.5CVSS6.9AI score0.00349EPSS
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/12 4:47 p.m.4 views

Malicious code in @mipta1/oras (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 66e55b7cf41df2b60c003da22e479a06fecaeeebd38526d0d3f24ea8521fafb9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
Rows per page
Query Builder