CVE-2026-48978

Public on 2026-07-16
Modified on 2026-07-16
Description
A flaw was found in oras-go. The auth.Client in oras-go does not properly validate the scheme or host of the realm URL provided in a registry's WWW-Authenticate: Bearer challenge. A remote attacker, operating a malicious registry or performing a man-in-the-middle attack, could exploit this to perform Server-Side Request Forgery (SSRF) against internal networks, potentially disclosing sensitive information. Additionally, the flaw could lead to a Transport Layer Security (TLS) downgrade, causing user credentials to be sent over plaintext.
Severity
Low severity
Low
See what this means
CVSS v3 Base Score
3.1
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Docker Extra soci-snapshotter Pending Fix
Amazon Linux 2023 soci-snapshotter Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N