57 matches found
CVE-2026-48978
A flaw was found in oras-go. The auth.Client in oras-go does not properly validate the scheme or host of the realm URL provided in a registry's WWW-Authenticate: Bearer challenge. A remote attacker, operating a malicious registry or performing a man-in-the-middle attack, could exploit this to...
CVE-2026-50163 vulnerabilities
Vulnerabilities for packages: consul-k8s, oras-fips, oras, consul-k8s-fips, ratify, ratify-fips...
GHSA-FXHP-MV3V-67QP vulnerabilities
Vulnerabilities for packages: consul-k8s, oras-fips, oras, consul-k8s-fips, ratify, ratify-fips...
CVE-2026-50163 vulnerabilities
Vulnerabilities for packages: oras, consul-k8s, ratify...
GHSA-FXHP-MV3V-67QP vulnerabilities
Vulnerabilities for packages: oras, consul-k8s, ratify...
CVE-2026-50151
creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:11+00:00| published-proof-of-concept| https://github.com/oras-project/oras-go/security/advisories/GHSA-jxpm-75mh-9fp7...
CVE-2026-50162
creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:09+00:00| published-proof-of-concept| https://github.com/oras-project/oras-go/security/advisories/GHSA-8xwf-rjm4-xvhv...
CVE-2026-50163
creationtimestamp| type| source ---|---|--- 2026-07-01 22:35:07+00:00| published-proof-of-concept| https://github.com/oras-project/oras-go/security/advisories/GHSA-fxhp-mv3v-67qp...
GHSA-VH4V-2XQ2-G5CG ORAS Go forwards registry credentials across registry redirects
ORAS Go forwards registry credentials across registry redirects Reporter / public credit: JUNYI LIU Summary ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects. There are two related paths: 1. A manifest or metadata...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack through improper validation of hardlink targets during tar extraction. An attacker can access or modify files outside the intended extraction directory by crafting a malicious tarball with a hardlink entry whose target is...
GHSA-FXHP-MV3V-67QP `oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution
Root cause The tar-extraction helper ensureLinkPath at content/file/utils.go:262-275 validates that a hardlink's target resolves inside the extract base, but then returns the original unresolved target string back to the caller: go func ensureLinkPathbaseAbs, baseRel, link, target string string,...
GHSA-8XWF-RJM4-XVHV oras-go has file store write outside workingDir via symlink traversal
The file content store in oras-go attempts to confine writes to workingDir when AllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. If workingDir contains a symlink path component and an attacker-controlled blob title via ocispec.AnnotationTitle...
GHSA-JXPM-75MH-9FP7 oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
Summary oras-go follows a registry-controlled Location header during the monolithic blob upload flow and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, oras-go can send the caller's credentials t...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the blobStore.completePushAfterInitialPost process. An attacker can obtain sensitive credentials by manipulating the Location header to redirect requests to an attacker-controlled endpoint, causing t...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the blobStore.completePushAfterInitialPost process. An attacker can obtain sensitive credentials by manipulating the Location header to redirect requests to an attacker-controlled endpoint, causing t...
GHSA-XF85-363P-868W oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
Summary oras-go's auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. The realm field is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint e....
io.debezium:debezium-platform-conductor (>=3.5.0.CR1 <=3.6.0.Beta1), io.jenkins.plugins:jobcacher-oras-storage (>=8.vc4686b_899f53 <=144.vb_727c9b_7d229) +9 more potentially affected by unknown CVE via land.oras:oras-java-sdk (>=0.2.0 <=0.6.1)
land.oras:oras-java-sdk MAVEN version =0.2.0, =3.5.0.CR1, =8.vc4686b899f53, =0.2.0-4.vc50576b371f6, =7.v5b3e89ff2fca, =8.v5d229eba22c5, =5.v2bc0b458b8b2, =0.0.1, =0.0.1, =0.2.0, =0.2.0, =0.1.0, =0.1.1 Source cves: unknown CVE Source advisory: OSV:GHSA-XM96-GFJX-JCRC...
GHSA-FV83-X2XW-2J55 vulnerabilities
Vulnerabilities for packages: grafana-rollout-operator, github-mcp-server, oras, spire-server, metacontroller, supercronic, kubewatch, clickhouse-operator, mariadb-operator, secrets-store-csi-driver-provider-aws, apko, goreleaser, newrelic-k8s-metadata-injection, grafana-operator,...
CVE-2026-32281 vulnerabilities
Vulnerabilities for packages: kubewatch, apko, gitaly, terraform-provider-tls, k8sgpt-operator, opensearch-k8s-operator, kubescape, conjur-cli, dask-gateway, apache-exporter, prometheus-blackbox-exporter, kubernetes-replicator, http-echo, crossplane-provider-azure-authorization, q, fscrypt,...
Malicious code in @mipta1/oras (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 66e55b7cf41df2b60c003da22e479a06fecaeeebd38526d0d3f24ea8521fafb9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...