CVE-2025-24976

{"id": "CVE-2025-24976", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-11T16:15:52.163", "references": [{"url": "https://github.com/distribution/distribution/commit/f4a500caf68169dccb0b54cb90523e68ee1ac2be", "source": "security-advisories@github.com"}, {"url": "https://github.com/distribution/distribution/security/advisories/GHSA-phw4-mc57-4hwc", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication."}, {"lang": "es", "value": "La distribuci\u00f3n es un conjunto de herramientas para empaquetar, enviar, almacenar y entregar contenido de contenedores. Los sistemas que ejecutan las versiones de registro 3.0.0-beta.1 a 3.0.0-rc.2 con la autenticaci\u00f3n de token habilitada pueden ser vulnerables a un problema en el que la autenticaci\u00f3n de token permite a un atacante inyectar una clave de firma no confiable en un token web JSON (JWT). El problema radica en c\u00f3mo se realiza la verificaci\u00f3n de la clave web JSON (JWK). Cuando un JWT contiene un encabezado JWK sin una cadena de certificados, el c\u00f3digo solo verifica si el KeyID (`kid`) coincide con una de las claves confiables, pero no verifica que el material de la clave real coincida. Hay una soluci\u00f3n para el problema disponible en el commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd y se espera que sea parte de la versi\u00f3n 3.0.0-rc.3. No hay forma de solucionar este problema sin aplicar un parche si el sistema requiere autenticaci\u00f3n de token."}], "lastModified": "2026-01-23T17:16:06.073", "sourceIdentifier": "security-advisories@github.com"}