Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.
AnalysisAI
Server-Side Request Forgery (SSRF) in distribution container toolkit versions before 3.1.0 enables credential theft via malicious upstream registry responses. When operating in pull-through cache mode, distribution parses WWW-Authenticate bearer challenges from upstream registries without validating the realm URL against the configured upstream host. Attackers controlling the upstream registry or positioned for man-in-the-middle attacks can specify arbitrary realm URLs, causing distribution to transmit configured upstream credentials via basic authentication to attacker-controlled endpoints (CVSS 7.5, High confidentiality impact). EPSS data and KEV status not available; no public exploit identified at time of analysis, though exploitation requires only network access with low complexity (AV:N/AC:L) and no authentication (PR:N).
Technical ContextAI
The distribution project (formerly Docker Registry) is a reference implementation for storing and distributing container images via OCI/Docker registry protocols. In pull-through cache deployments, distribution acts as a transparent proxy that retrieves and caches images from upstream registries. The vulnerability stems from improper URL validation during OAuth 2.0 bearer token authentication flows (RFC 6750). When parsing WWW-Authenticate headers containing bearer challenges (e.g., 'Bearer realm="https://auth.example.com/token"'), distribution extracts the realm URL to obtain access tokens but fails to verify this URL belongs to the trusted upstream registry domain. This CWE-918 Server-Side Request Forgery flaw allows attacker-supplied realm URLs to be trusted, causing the application to initiate outbound HTTP requests with sensitive credentials to arbitrary destinations. The vulnerability specifically affects the authentication middleware that handles token discovery and credential passing in pull-through cache configurations where upstream authentication is required.
RemediationAI
Upgrade distribution to version 3.1.0 or later, which implements proper validation of bearer challenge realm URLs to ensure they match the configured upstream registry domain before transmitting credentials. Organizations unable to immediately upgrade should disable pull-through cache functionality or remove upstream authentication credentials from distribution configuration, instead using unauthenticated public registries or implementing network-layer controls to prevent distribution from reaching attacker-controlled destinations. Deploy egress filtering to restrict distribution servers to communicate only with known-legitimate registry domains. Review authentication logs for the period prior to patching to identify potential unauthorized realm URL requests that may indicate exploitation attempts or successful credential theft. Rotate any upstream registry credentials that were configured in vulnerable distribution deployments. Consult the GitHub Security Advisory at https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r for additional vendor guidance and validation procedures.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Module for Containers 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Containers 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Containers 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Containers 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Containers 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP3 | Fixed |
| SUSE Linux Enterprise Server 15 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy 4.2 | Fixed |
| SUSE Manager Retail Branch Server 4.2 | Fixed |
| SUSE Manager Server 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap Micro 5.5 | Fixed |
| suse/helm | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19289
GHSA-3p65-76g6-3w7r