{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/oras/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["oras-java-sdk (\u003c= 0.6.1)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","oras","java"],"_cs_type":"threat","_cs_vendors":["oras"],"content_html":"\u003cp\u003eThe ORAS (OCI Repository As Storage) Java SDK is vulnerable to a path traversal issue in the \u003ccode\u003epullArtifact\u003c/code\u003e methods of the \u003ccode\u003eRegistry\u003c/code\u003e and \u003ccode\u003eOCILayout\u003c/code\u003e classes. This vulnerability arises because the SDK uses the \u003ccode\u003eorg.opencontainers.image.title\u003c/code\u003e annotation from a pulled OCI manifest as a filename without proper sanitization. An attacker who can publish a malicious OCI manifest with a crafted \u003ccode\u003eorg.opencontainers.image.title\u003c/code\u003e annotation can cause the SDK to write a layer\u0026rsquo;s blob to an arbitrary location accessible to the JVM process. This issue affects versions 0.6.1 and earlier of the \u003ccode\u003eoras-java-sdk\u003c/code\u003e. Exploitation can lead to arbitrary file writes, potentially overwriting critical system files or introducing malicious code.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OCI manifest.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eorg.opencontainers.image.title\u003c/code\u003e annotation within a layer of the crafted manifest to a path that includes directory traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) or an absolute path.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes the malicious OCI manifest to a registry.\u003c/li\u003e\n\u003cli\u003eA victim application uses the ORAS Java SDK to pull an artifact from the registry using \u003ccode\u003eRegistry.pullArtifact\u003c/code\u003e or \u003ccode\u003eOCILayout.pullArtifact\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epullArtifact\u003c/code\u003e method retrieves the layer\u0026rsquo;s blob and its associated metadata, including the malicious \u003ccode\u003eorg.opencontainers.image.title\u003c/code\u003e annotation.\u003c/li\u003e\n\u003cli\u003eThe SDK uses \u003ccode\u003ePath.resolve\u003c/code\u003e to combine the user-supplied output directory with the malicious path from the \u003ccode\u003eorg.opencontainers.image.title\u003c/code\u003e annotation.\u003c/li\u003e\n\u003cli\u003eThe SDK attempts to copy the layer\u0026rsquo;s blob to the resolved path using \u003ccode\u003eFiles.copy\u003c/code\u003e with the \u003ccode\u003eREPLACE_EXISTING\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal or absolute path in the annotation, the blob is written to a location outside the intended output directory, potentially overwriting existing files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files to locations accessible to the JVM process running the ORAS Java SDK. This could lead to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eOverwriting critical system files, causing denial of service.\u003c/li\u003e\n\u003cli\u003eWriting malicious code (e.g., a web shell) to a location where it can be executed, leading to remote code execution.\u003c/li\u003e\n\u003cli\u003eCompromising the integrity of data stored by the application using the ORAS Java SDK.\nThe severity is high due to the potential for remote code execution and the ease of exploitation by simply publishing a malicious manifest.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of the \u003ccode\u003eoras-java-sdk\u003c/code\u003e that addresses this vulnerability (versions later than 0.6.1).\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, implement input validation on the \u003ccode\u003eorg.opencontainers.image.title\u003c/code\u003e annotation before passing it to the \u003ccode\u003epullArtifact\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ORAS Java SDK Path Traversal Attempt via Image Title\u0026rdquo; to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to known malicious container registries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T15:48:26Z","date_published":"2026-05-19T15:48:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-oras-path-traversal/","summary":"The `pullArtifact` methods in `Registry` and `OCILayout` use the `org.opencontainers.image.title` annotation from a pulled manifest as a filename, resolving it against the caller supplied output directory without normalization or a containment check, allowing a manifest publisher to write blobs outside of the intended target directory.","title":"ORAS Java SDK Path Traversal Vulnerability via Malicious Image Title Annotation","url":"https://feed.craftedsignal.io/briefs/2026-05-oras-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Oras","version":"https://jsonfeed.org/version/1.1"}