GHSA-XM96-GFJX-JCRC

Vulnerability from github – Published: 2026-05-19 15:47 – Updated: 2026-05-19 15:47
VLAI
Summary
ORAS Java: Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotation
Details

Summary

The pullArtifact methods in Registry and OCILayout use the org.opencontainers.image.title annotation from a pulled manifest as a filename, resolving it against the caller supplied output directory without normalization or a containment check. A manifest publisher can set this annotation to a path that escapes the output directory, causing the SDK to write the layer's blob anywhere the JVM process can write.

Details

Two call sites are affected.

src/main/java/land/oras/Registry.java, pullLayer (reached from Registry.pullArtifact):

Path targetPath = path.resolve(layer.getAnnotations().get(Const.ANNOTATION_TITLE));
...
Files.copy(is, targetPath, StandardCopyOption.REPLACE_EXISTING);

src/main/java/land/oras/OCILayout.java, OCILayout.pullArtifact:

Files.copy(blobPath, path.resolve(layer.getAnnotations().get(Const.ANNOTATION_TITLE)));

The annotation comes from the remote manifest. Path.resolve treats an absolute argument as a full override of the base, and follows .. segments upward, so the annotation controls the destination. REPLACE_EXISTING overwrites files that exist at that destination.

The unpack branch of pullLayer (taken when the layer carries io.deis.oras.content.unpack=true) is not affected, because it dispatches through ArchiveUtils.untar / unzip, which apply outputPath.startsWith(normalizedTarget) after normalization. The non unpack branch and OCILayout.pullArtifact lack the equivalent check.

fetchBlob(ContainerRef, Path) is not affected. The caller passes the destination path and the title annotation is not consulted.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.6.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "land.oras:oras-java-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T15:47:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe `pullArtifact` methods in `Registry` and `OCILayout` use the `org.opencontainers.image.title` annotation from a pulled manifest as a filename, resolving it against the caller supplied output directory without normalization or a containment check. A manifest publisher can set this annotation to a path that escapes the output directory, causing the SDK to write the layer\u0027s blob anywhere the JVM process can write.\n\n### Details\n\nTwo call sites are affected.\n\n`src/main/java/land/oras/Registry.java`, `pullLayer` (reached from `Registry.pullArtifact`):\n\n```java\nPath targetPath = path.resolve(layer.getAnnotations().get(Const.ANNOTATION_TITLE));\n...\nFiles.copy(is, targetPath, StandardCopyOption.REPLACE_EXISTING);\n```\n\n`src/main/java/land/oras/OCILayout.java`, `OCILayout.pullArtifact`:\n\n```java\nFiles.copy(blobPath, path.resolve(layer.getAnnotations().get(Const.ANNOTATION_TITLE)));\n```\n\nThe annotation comes from the remote manifest. `Path.resolve` treats an absolute argument as a full override of the base, and follows `..` segments upward, so the annotation controls the destination. `REPLACE_EXISTING` overwrites files that exist at that destination.\n\nThe unpack branch of `pullLayer` (taken when the layer carries `io.deis.oras.content.unpack=true`) is not affected, because it dispatches through `ArchiveUtils.untar` / `unzip`, which apply `outputPath.startsWith(normalizedTarget)` after normalization. The non unpack branch and `OCILayout.pullArtifact` lack the equivalent check.\n\n`fetchBlob(ContainerRef, Path)` is not affected. The caller passes the destination path and the title annotation is not consulted.",
  "id": "GHSA-xm96-gfjx-jcrc",
  "modified": "2026-05-19T15:47:36Z",
  "published": "2026-05-19T15:47:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oras-project/oras-java/security/advisories/GHSA-xm96-gfjx-jcrc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oras-project/oras-java"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ORAS Java: Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotation"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…