{"containers": {"cna": {"affected": [{"product": "oras", "vendor": "deislabs", "versions": [{"status": "affected", "version": ">= 0.4.0, < 0.9.0"}]}], "descriptions": [{"lang": "en", "value": "ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a \"zip-slip\" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-25T18:30:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/deislabs/oras/releases/tag/v0.9.0"}, {"tags": ["x_refsource_MISC"], "url": "https://pkg.go.dev/github.com/deislabs/oras/pkg/oras"}], "source": {"advisory": "GHSA-g5v4-5x39-vwhx", "discovery": "UNKNOWN"}, "title": "zip slip in ORAS", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21272", "STATE": "PUBLIC", "TITLE": "zip slip in ORAS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "oras", "version": {"version_data": [{"version_value": ">= 0.4.0, < 0.9.0"}]}}]}, "vendor_name": "deislabs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a \"zip-slip\" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx", "refsource": "CONFIRM", "url": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"}, {"name": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e", "refsource": "MISC", "url": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"}, {"name": "https://github.com/deislabs/oras/releases/tag/v0.9.0", "refsource": "MISC", "url": "https://github.com/deislabs/oras/releases/tag/v0.9.0"}, {"name": "https://pkg.go.dev/github.com/deislabs/oras/pkg/oras", "refsource": "MISC", "url": "https://pkg.go.dev/github.com/deislabs/oras/pkg/oras"}]}, "source": {"advisory": "GHSA-g5v4-5x39-vwhx", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.220Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/deislabs/oras/releases/tag/v0.9.0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pkg.go.dev/github.com/deislabs/oras/pkg/oras"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21272", "datePublished": "2021-01-25T18:30:15", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.220Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deislabs:oras:*:*:*:*:*:*:*:*", "matchCriteriaId": "93510360-3674-4A55-9BB0-5FA39B53B970", "versionEndExcluding": "0.9.0", "versionStartIncluding": "0.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a \"zip-slip\" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider."}, {"lang": "es", "value": "ORAS es un software de c\u00f3digo abierto que permite una forma de empujar artefactos OCI a registros conformes con OCI. ORAS es tanto un CLI para pruebas iniciales como un m\u00f3dulo Go. En ORAS a partir de la versi\u00f3n 0.4.0 y anterior a la versi\u00f3n 0.9.0, existe una vulnerabilidad de \"deslizamiento de zip\". La funci\u00f3n de soporte de directorios permite que los tarballs gzipped descargados se extraigan autom\u00e1ticamente al directorio especificado por el usuario, donde el tarball puede tener enlaces simb\u00f3licos y enlaces duros. Un tarball o tarballs bien elaborados permiten a los proveedores de artefactos maliciosos enlazar, escribir o sobrescribir archivos espec\u00edficos en el sistema de archivos del host fuera del directorio especificado por el usuario de forma inesperada con los mismos permisos que el usuario que ejecuta `oras pull`. Los usuarios de las versiones afectadas se ven afectados si son usuarios de `oras` CLI que ejecutan `oras pull`, o si son programas Go, que invocan `github.com/deislabs/oras/pkg/content.FileStore`. El problema ha sido corregido en la versi\u00f3n 0.9.0. Para los usuarios de la CLI de `oras`, no hay ninguna soluci\u00f3n que no sea la de extraer de un proveedor de artefactos de confianza. Para los usuarios del paquete `oras`, la soluci\u00f3n es no utilizar `github.com/deislabs/oras/pkg/content.FileStore`, y utilizar otros almacenes de contenido en su lugar, o tirar de un proveedor de artefactos de confianza"}], "id": "CVE-2021-21272", "lastModified": "2024-02-21T20:39:19.723", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-01-25T19:15:12.847", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/deislabs/oras/releases/tag/v0.9.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/github.com/deislabs/oras/pkg/oras"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3016", "cpe": "cpe:/a:redhat:acm:2.3::el8", "impact": "low", "package": "rhacm2/endpoint-monitoring-rhel8-operator:v2.3.0-49", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8", "release_date": "2021-08-06T00:00:00Z"}, {"advisory": "RHSA-2021:3016", "cpe": "cpe:/a:redhat:acm:2.3::el8", "impact": "low", "package": "rhacm2/multicluster-operators-subscription-release-rhel8:v2.3.0-43", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8", "release_date": "2021-08-06T00:00:00Z"}, {"advisory": "RHSA-2021:3016", "cpe": "cpe:/a:redhat:acm:2.3::el8", "impact": "low", "package": "rhacm2/multicluster-operators-subscription-rhel8:v2.3.0-66", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8", "release_date": "2021-08-06T00:00:00Z"}, {"advisory": "RHSA-2021:3016", "cpe": "cpe:/a:redhat:acm:2.3::el8", "impact": "low", "package": "rhacm2/search-collector-rhel8:v2.3.0-52", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8", "release_date": "2021-08-06T00:00:00Z"}], "bugzilla": {"description": "oras: zip-slip vulnerability via oras-pull", "id": "1921286", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1921286"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a \"zip-slip\" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider.", "A flaw was found in oras. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`."], "name": "CVE-2021-21272", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "multicloud-operators-subscription", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "multicloud-operators-subscription-release", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "multicluster-monitoring-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "search-collector", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "rox", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/cnf-tests-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/compliance-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/file-integrity-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "impact": "low", "package_name": "openshift4/ose-ansible-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "impact": "low", "package_name": "openshift4/ose-helm-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-operator-lifecycle-manager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-ptp-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-sriov-network-config-daemon", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-sriov-network-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-sriov-network-webhook", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4/ose-sriov-operator-must-gather", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "impact": "low", "package_name": "openshift4-wincw/windows-machine-config-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Will not fix", "impact": "low", "package_name": "rhai-tech-preview/assisted-installer-agent-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Will not fix", "impact": "low", "package_name": "rhai-tech-preview/assisted-installer-reporter-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Will not fix", "impact": "low", "package_name": "rhai-tech-preview/assisted-installer-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "ocs4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "cluster-network-addons-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "container-native-virtualization/vm-import-controller-rhel8", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hostpath-provisioner-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hostpath-provisioner-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "hyperconverged-cluster-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubernetes-nmstate-handler-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "node-maintenance-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "vm-import-operator-container", "product_name": "Red Hat OpenShift Virtualization 2"}], "public_date": "2021-01-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-21272\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21272\nhttps://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx"], "statement": "A vulnerable version of github.com/deislabs/oras package is delivered in listed OpenShift Container Platform (OCP) and OpenShift Container Storage components, but the vulnerable code is not invoked, therefore these components are affected but with impact Low.", "threat_severity": "Moderate", "upstream_fix": "github.com/deislabs/oras 0.9.0"}