Distribution's token authentication allows attacker to inject an untrusted signing key in a JWT
Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication.
References
- https://github.com/distribution/distribution/security/advisories/GHSA-phw4-mc57-4hwc x_refsource_CONFIRM
- https://github.com/distribution/distribution/commit/5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd x_refsource_MISC
- https://github.com/distribution/distribution/security/advisories/GHSA-phw4-mc57-4hwc x_refsource_CONFIRM
- https://github.com/distribution/distribution/commit/5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd x_refsource_MISC
- https://github.com/distribution/distribution/security/advisories/GHSA-phw4-mc57-4hwc x_refsource_CONFIRM
- https://github.com/distribution/distribution/commit/f4a500caf68169dccb0b54cb90523e68ee1ac2be x_refsource_MISC
Affected products
- ==>= 3.0.0-beta.1, <= 3.0.0-rc.2
Matching in nixpkgs
pkgs.distribution
Toolkit to pack, ship, store, and deliver container content
pkgs.protege-distribution
OWL2 ontology editor from Stanford, with third-party plugins included
pkgs.perlPackages.LinuxDistribution
Perl extension to detect on which Linux distribution we are running
pkgs.perl538Packages.LinuxDistribution
Perl extension to detect on which Linux distribution we are running
pkgs.perl540Packages.LinuxDistribution
Perl extension to detect on which Linux distribution we are running
pkgs.perlPackages.DistributionMetadata
Distribution::Metadata - gather distribution metadata in local
pkgs.haskellPackages.normaldistribution
Minimum fuss normally distributed random values
pkgs.perlPackages.ParseLocalDistribution
Parses local .pm files as PAUSE does
pkgs.haskellPackages.distribution-nixpkgs
Types and functions to manipulate the Nixpkgs distribution
pkgs.perl538Packages.DistributionMetadata
Distribution::Metadata - gather distribution metadata in local
pkgs.perl540Packages.DistributionMetadata
Distribution::Metadata - gather distribution metadata in local
pkgs.perlPackages.StatisticsDistributions
Perl module for calculating critical values and upper probabilities of common statistical distributions
pkgs.haskellPackages.distribution-opensuse
Types, functions, and tools to manipulate the openSUSE distribution
pkgs.haskellPackages.splitmix-distributions
Random samplers for some common distributions, based on splitmix
pkgs.perl538Packages.ParseLocalDistribution
Parses local .pm files as PAUSE does
pkgs.perl540Packages.ParseLocalDistribution
Parses local .pm files as PAUSE does
pkgs.haskellPackages.ngx-export-distribution
Build custom libraries for Nginx Haskell module
pkgs.perl538Packages.StatisticsDistributions
Perl module for calculating critical values and upper probabilities of common statistical distributions
pkgs.perl540Packages.StatisticsDistributions
Perl module for calculating critical values and upper probabilities of common statistical distributions
pkgs.haskellPackages.distribution-nixpkgs-unstable
Types and functions to manipulate the Nixpkgs distribution
-
nixos-unstable 1.7.1.1-unstable-2025-11-11
- nixpkgs-unstable 1.7.1.1-unstable-2025-11-11
- nixos-unstable-small 1.7.1.1-unstable-2025-11-11
Package maintainers
-
@katexochen Paul Meyer <katexochen0@gmail.com>
-
@sternenseemann Lukas Epple <sternenseemann@systemli.org>
-
@nessdoor Tomas Antonio Lopez <entropy.overseer@protonmail.com>