Bug 2344940 (CVE-2025-24976)

Summary: CVE-2025-24976 distribution: Distribution's token authentication allows attacker to inject an untrusted signing key in a JWT
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adistefa, alcohan, anjoseph, brainfor, dfreiber, dhanak, drosa, drow, dsimansk, dymurray, gparvin, jburrell, jmatthew, jprabhak, jsamir, kingland, kverlaen, ldai, ljawale, lsharar, lucarval, luizcosta, matzew, mnovotny, njean, nweather, owatkins, pahickey, pierdipi, rbobbitt, rguimara, rhaigner, rhuss, rjohnson, sausingh, sthirugn, vkrizan, vkumar, whayutin, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Distribution. Certain versions with token authentication enabled may be vulnerable to an issue where token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue is due to how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys but doesn't verify that the key material matches.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-02-11 16:01:45 UTC 
Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication.
Comment 3 errata-xmlrpc 2025-03-11 02:08:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:2449 https://access.redhat.com/errata/RHSA-2025:2449
Comment 4 errata-xmlrpc 2025-03-12 17:40:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:2445 https://access.redhat.com/errata/RHSA-2025:2445