CVE-2026-50151
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-918
Falsificación de solicitud en servidor (SSRF)
Fecha de publicación:
17/07/2026
Última modificación:
17/07/2026
Descripción
*** Pendiente de traducción *** oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, registry/remote/repository.go in blobStore.completePushAfterInitialPost follows a registry-controlled Location header during monolithic blob upload and reuses the Authorization header from the initial POST request for the subsequent PUT request, allowing a malicious registry to return a cross-host Location and receive the caller's credentials at an attacker-controlled endpoint. This issue is fixed in version 2.6.1.
Impacto
Puntuación base 3.x
7.50
Gravedad 3.x
ALTA



