SCA: security update for github.com/deislabs/ratify, github.com/ratify-project/ratify (GHSA-44f7-5fj5-h4px)

high Tenable Cloud Security Plugin ID 421089

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Ratify is a verification engine as a binary executable and on Kubernetes which enables verification of
artifact security metadata and admits for deployment only those that comply with policies the user
creates. In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure
Container Registry (ACR). The Azure workload identity and Azure managed identity authentication providers
are configured in this setup. Users that configure a private ACR to be used with the Azure authentication
providers may be impacted by a vulnerability that exists in versions prior to 1.2.3 and 1.3.2. Both Azure
authentication providers attempt to exchange an Entra ID (EID) token for an ACR refresh token. However,
Ratify’s Azure authentication providers did not verify that the target registry is an ACR. This could have
led to the EID token being presented to a non-ACR registry during token exchange. EID tokens with ACR
access can potentially be extracted and abused if a user workload contains an image reference to a
malicious registry. As of versions 1.2.3 and 1.3.2, the Azure workload identity and Azure managed identity
authentication providers are updated to add new validation prior to EID token exchange. Validation relies
upon registry domain validation against a pre-configured list of well-known ACR endpoints. EID token
exchange will be executed only if at least one of the configured well-known domain suffixes (wildcard
support included) matches the registry domain of the image reference. (CVE-2025-27403)

See Also

https://github.com/advisories/GHSA-44f7-5fj5-h4px

Plugin Details

Severity: High

ID: 421089

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 3/11/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

Percentile: 96.91

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2025-27403

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.2

Threat Score: 4.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:L

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/11/2025

Vulnerability Publication Date: 3/11/2025

Reference Information

CVE: CVE-2025-27403