{"uuid": "ea73c08f-236c-491c-b094-9d6893dd77c1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "GHSA-QV35-3GW6-8Q4J", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/3374", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: GHSA-qv35-3gw6-8q4j\n\ud83d\udd25 CVSS Score: 5.1 (CVSS_V3)\n\ud83d\udd39 Description: ### Impact\nA malicious registry could return a different digest for a pinned manifest without detection.\n\n### Patches\nThis has been fixed in the v0.7.1 release.\n\n### Workarounds\nAfter running a `regclient.ManifestGet`, the returned digest can be compared to the requested digest.\n\n\ud83d\udccf Published: 2024-08-05T14:46:22Z\n\ud83d\udccf Modified: 2025-01-29T16:57:28Z\n\ud83d\udd17 References:\n1. https://github.com/regclient/regclient/security/advisories/GHSA-qv35-3gw6-8q4j\n2. https://github.com/regclient/regclient/commit/7d17cff26c22196b5ddd66bda8c5ee4abf3d1269\n3. https://github.com/regclient/regclient\n4. https://pkg.go.dev/vuln/GO-2024-3038", "creation_timestamp": "2025-01-29T17:11:09.000000Z"}