Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries

Description

Impact

In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure Container Registry (ACR). The Azure workload identity and Azure managed identity authentication providers are configured in this setup. Users that configure a private ACR to be used with the Azure authentication providers may be impacted.
Both Azure authentication providers attempt to exchange an Entra ID (EID) token for an ACR refresh token. However, Ratify’s Azure authentication providers did not verify that the target registry is an ACR. This could have led to the EID token being presented to a non-ACR registry during token exchange. EID tokens with ACR access can potentially be extracted and abused if a user workload contains an image reference to a malicious registry.

Patches

The Azure workload identity and Azure managed identity authentication providers are updated to add new validation prior to EID token exchange. Validation relies upon registry domain validation against a pre-configured list of well-known ACR endpoints. EID token exchange will be executed only if at least one of the configured well-known domain suffixes (wildcard support included) matches the registry domain of the image reference.

Credits

The ratify project would like to thank Shiwei Zhang (@shizhMSFT) and Binbin Li (@binbin-li) for responsibly disclosing the issue and thank Binbin Li (@binbin-li) and Akash Singhal (@akashsinghal) for actively mitigating the issue.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-03-11 15:27:16 UTC
Updated
2025-03-14 20:00:48 UTC
GitHub reviewed
2025-03-11 15:27:16 UTC
NVD published
2025-03-11

EPSS Score

Score Percentile
0.20% 42.11%

CVSS Scores

Base score Version Severity Vector
7.2 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:P)
A user has to participate (for example click/open/approve).
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:H)
High confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:H)
High integrity impact on subsequent systems.
Subsequent system availability impact (SA:L)
Limited availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-287 Improper Authentication
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/ratify-project/ratify < 1.2.3 1.2.3
go github.com/ratify-project/ratify >= 1.3.0, < 1.3.2 1.3.2
go github.com/deislabs/ratify < 1.2.3 1.2.3

References

cvelogic Threat Intelligence