GHSA-qv35-3gw6-8q4j

Опубликовано: 05 авг. 2024

Источник: github

Github: Прошло ревью

CVSS4: 5.8

CVSS3: 5.2

Описание

In regclient, pinned manifest digests may be ignored

Impact

A malicious registry could return a different digest for a pinned manifest without detection.

Patches

This has been fixed in the v0.7.1 release.

Workarounds

After running a regclient.ManifestGet, the returned digest can be compared to the requested digest.

Ссылки

Пакеты

Наименование

github.com/regclient/regclient

Затронутые версииВерсия исправления

< 0.7.1

0.7.1

EPSS

Процентиль: 13%

0.00044

Низкий

5.8 Medium

CVSS4

5.2 Medium

CVSS3

CVE ID

CVE-2025-24882

Дефекты

CWE-20

CWE-345

Связанные уязвимости

CVE-2025-24882

CVSS3: 5.2

redhat

больше 1 года назад

regclient is a Docker and OCI Registry Client in Go. A malicious registry could return a different digest for a pinned manifest without detection. This vulnerability is fixed in 0.7.1.

CVE-2025-24882

CVSS3: 5.2

nvd

11 месяцев назад

regclient is a Docker and OCI Registry Client in Go. A malicious registry could return a different digest for a pinned manifest without detection. This vulnerability is fixed in 0.7.1.

CVE-2025-24882

CVSS3: 5.2

debian

11 месяцев назад

regclient is a Docker and OCI Registry Client in Go. A malicious regis ...

EPSS

Процентиль: 13%

0.00044

Низкий

5.8 Medium

CVSS4

5.2 Medium

CVSS3

CVE ID

CVE-2025-24882

Дефекты

CWE-20

CWE-345