CVE-2025-24976 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-24976 Interim 1 9 2026-03-05T01:12:11Z current 2025-02-14T00:12:37Z 2026-03-05T01:12:11Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-24976 Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://github.com/distribution/distribution/security/advisories//GHSA-phw4-mc57-4hwc E-Mail link for GHSA-phw4-mc57-4hwc https://www.suse.com/support/security/rating/ SUSE Security Ratings Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS SUSE Linux Enterprise Module for Containers 15 SP6 SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server 15 SP5-LTSS SUSE Linux Enterprise Module for Containers 15 SP6 SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server Teradata 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Module for Containers 15 SP6 openSUSE Leap 15.6 openSUSE Tumbleweed distribution distribution-registry govulncheck-vulndb-0.0.20250312T181707-1.1 govulncheck-vulndb-0.0.20250814T182633-160000.1.2 libxml2-2-2.11.6-3.1 libxml2-tools-2.11.6-3.1 update-alternatives-1.22.0-slfo.1.1_2.1 libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/baremetal-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/base-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/kvm-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/rt-os-container:latest libxml2-2-2.11.6-3.1 as a component of Container suse/sl-micro/6.0/toolbox:latest libxml2-2-2.11.6-3.1 as a component of Image SL-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-RT-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Base-qcow update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-SelfInstall update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-encrypted update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SL-Micro-Default-qcow libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-Azure libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-Azure update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-Azure libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-Azure libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-Azure update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-Azure libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-EC2 libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-EC2 update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-EC2 libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-GCE libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-BYOS-GCE update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-BYOS-GCE libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-EC2 libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-EC2 update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-EC2 libxml2-2-2.11.6-3.1 as a component of Image SLE-Micro-GCE libxml2-tools-2.11.6-3.1 as a component of Image SLE-Micro-GCE update-alternatives-1.22.0-slfo.1.1_2.1 as a component of Image SLE-Micro-GCE govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as a component of SUSE Linux Enterprise Server 16.0 govulncheck-vulndb-0.0.20250312T181707-1.1 as a component of openSUSE Tumbleweed distribution-registry as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS distribution as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS distribution-registry as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS distribution as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS distribution-registry as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS distribution as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS distribution-registry as a component of SUSE Linux Enterprise Module for Containers 15 SP6 distribution as a component of SUSE Linux Enterprise Module for Containers 15 SP6 distribution-registry as a component of SUSE Linux Enterprise Server 15 SP4-LTSS distribution as a component of SUSE Linux Enterprise Server 15 SP4-LTSS distribution-registry as a component of SUSE Linux Enterprise Server 15 SP5-LTSS distribution as a component of SUSE Linux Enterprise Server 15 SP5-LTSS distribution as a component of SUSE Linux Enterprise Server Teradata 15 SP4 distribution-registry as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 distribution as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 distribution-registry as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 distribution as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 distribution-registry as a component of openSUSE Leap 15.6 distribution as a component of openSUSE Leap 15.6 Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the JSON web key (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication. CVE-2025-24976 Container suse/sl-micro/6.0/baremetal-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/base-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/kvm-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/rt-os-container:latest:libxml2-2-2.11.6-3.1 Container suse/sl-micro/6.0/toolbox:latest:libxml2-2-2.11.6-3.1 Image SL-Micro:libxml2-2-2.11.6-3.1 Image SL-Micro:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-RT-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-VMware:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Base-qcow:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-SelfInstall:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-VMware:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-encrypted:update-alternatives-1.22.0-slfo.1.1_2.1 Image SL-Micro-Default-qcow:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro:libxml2-2-2.11.6-3.1 Image SLE-Micro:libxml2-tools-2.11.6-3.1 Image SLE-Micro:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-Azure:libxml2-2-2.11.6-3.1 Image SLE-Micro-Azure:libxml2-tools-2.11.6-3.1 Image SLE-Micro-Azure:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-Azure:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-Azure:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-Azure:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-EC2:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-EC2:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-EC2:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-BYOS-GCE:libxml2-2-2.11.6-3.1 Image SLE-Micro-BYOS-GCE:libxml2-tools-2.11.6-3.1 Image SLE-Micro-BYOS-GCE:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-EC2:libxml2-2-2.11.6-3.1 Image SLE-Micro-EC2:libxml2-tools-2.11.6-3.1 Image SLE-Micro-EC2:update-alternatives-1.22.0-slfo.1.1_2.1 Image SLE-Micro-GCE:libxml2-2-2.11.6-3.1 Image SLE-Micro-GCE:libxml2-tools-2.11.6-3.1 Image SLE-Micro-GCE:update-alternatives-1.22.0-slfo.1.1_2.1 SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2 openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250312T181707-1.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:distribution SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:distribution-registry SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:distribution SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:distribution-registry SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:distribution SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:distribution-registry SUSE Linux Enterprise Module for Containers 15 SP6:distribution SUSE Linux Enterprise Module for Containers 15 SP6:distribution-registry SUSE Linux Enterprise Server 15 SP4-LTSS:distribution SUSE Linux Enterprise Server 15 SP4-LTSS:distribution-registry SUSE Linux Enterprise Server 15 SP5-LTSS:distribution SUSE Linux Enterprise Server 15 SP5-LTSS:distribution-registry SUSE Linux Enterprise Server Teradata 15 SP4:distribution SUSE Linux Enterprise Server for SAP Applications 15 SP4:distribution SUSE Linux Enterprise Server for SAP Applications 15 SP4:distribution-registry SUSE Linux Enterprise Server for SAP Applications 15 SP5:distribution SUSE Linux Enterprise Server for SAP Applications 15 SP5:distribution-registry openSUSE Leap 15.6:distribution openSUSE Leap 15.6:distribution-registry important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N