GHSA-xm96-gfjx-jcrc

Source

https://github.com/advisories/GHSA-xm96-gfjx-jcrc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xm96-gfjx-jcrc/GHSA-xm96-gfjx-jcrc.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-xm96-gfjx-jcrc

Published

2026-05-19T15:47:36Z

Modified

2026-05-19T16:00:09.824336711Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator

Summary

ORAS Java: Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotation

Details

Summary

The pullArtifact methods in Registry and OCILayout use the org.opencontainers.image.title annotation from a pulled manifest as a filename, resolving it against the caller supplied output directory without normalization or a containment check. A manifest publisher can set this annotation to a path that escapes the output directory, causing the SDK to write the layer's blob anywhere the JVM process can write.

Details

Two call sites are affected.

src/main/java/land/oras/Registry.java, pullLayer (reached from Registry.pullArtifact):

Path targetPath = path.resolve(layer.getAnnotations().get(Const.ANNOTATION_TITLE));
...
Files.copy(is, targetPath, StandardCopyOption.REPLACE_EXISTING);

src/main/java/land/oras/OCILayout.java, OCILayout.pullArtifact:

Files.copy(blobPath, path.resolve(layer.getAnnotations().get(Const.ANNOTATION_TITLE)));

The annotation comes from the remote manifest. Path.resolve treats an absolute argument as a full override of the base, and follows .. segments upward, so the annotation controls the destination. REPLACE_EXISTING overwrites files that exist at that destination.

The unpack branch of pullLayer (taken when the layer carries io.deis.oras.content.unpack=true) is not affected, because it dispatches through ArchiveUtils.untar / unzip, which apply outputPath.startsWith(normalizedTarget) after normalization. The non unpack branch and OCILayout.pullArtifact lack the equivalent check.

fetchBlob(ContainerRef, Path) is not affected. The caller passes the destination path and the title annotation is not consulted.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T15:47:36Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

Maven / land.oras:oras-java-sdk

Package

Name: land.oras:oras-java-sdk; View open source insights on deps.dev
Purl: pkg:maven/land.oras/oras-java-sdk

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.2

Affected versions

0.*

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.2.16

0.3.0

0.3.1

0.3.2

0.3.3

0.4.0

0.4.1

0.4.2

0.5.0

0.5.1

0.5.2

0.6.0

0.6.1

Database specific

last_known_affected_version_range

"<= 0.6.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xm96-gfjx-jcrc/GHSA-xm96-gfjx-jcrc.json"