Описание
Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (kid) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication.
A flaw was found in Distribution. Certain versions with token authentication enabled may be vulnerable to an issue where token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue is due to how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (kid) matches one of the trusted keys but doesn't verify that the key material matches.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successful exploitation of a CWE-639: Authorization Bypass Through User-Controlled Key vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Access controls strictly enforce user-to-resource authorization, preventing manipulation of identifiers such as namespace names or resource paths to gain unauthorized access. Least privilege principles restrict access to only the resources necessary for each role, reducing the potential impact of any misused identifiers. Account management enforces unique user identities and session controls to prevent horizontal or vertical privilege escalation. Remote access is tightly governed through hardened authentication mechanisms and session limitations, further minimizing the risk of user-controlled access vectors. Additionally, access enforcement policies are applied consistently across services and verified through routine validation, reducing the likelihood of authorization bypass conditions.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Multiarch Tuning Operator | multiarch-tuning/multiarch-tuning-rhel9-operator | Will not fix | ||
| OpenShift API for Data Protection | oadp/oadp-velero-plugin-rhel8 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/serverless-ingress-rhel8 | Will not fix | ||
| OpenShift Serverless | openshift-serverless-1/serverless-kn-operator-rhel8 | Will not fix | ||
| OpenShift Serverless | openshift-serverless-1/serverless-must-gather-rhel8 | Will not fix | ||
| OpenShift Serverless | openshift-serverless-1/serverless-openshift-kn-rhel8-operator | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicluster-operators-subscription-rhel8 | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | microshift | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-cli | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-cli-artifacts | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication.
Distribution is a toolkit to pack, ship, store, and deliver container ...
EPSS
6.5 Medium
CVSS3