2 matches found
CVE-2025-27403
The CVE describes a vulnerability in Ratify where Azure authentication providers could exchange an Entra ID token for an ACR refresh token without verifying that the target registry is an Azure Container Registry. This could allow EID tokens with ACR access to be exposed if a workload references ...
CVE-2025-27403 Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries
Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies the user creates. In a Kubernetes environment, Ratify can be configured to authenticate to a private Azu...