CVE-2021-21272: Path Traversal

January 25, 2021 (updated February 21, 2024)

ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries.For oras CLI users, there is no workarounds other than pulling from a trusted artifact provider. For oras package users, the workaround is to not use github.com/deislabs/oras/pkg/content.FileStore, and use other content stores instead, or pull from a trusted artifact provider.

References

nvd.nist.gov/vuln/detail/CVE-2021-21272

Detect and mitigate CVE-2021-21272 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →