CVE-2023-45821

Name of the Vulnerable Software and Affected Versions Artifact Hub versions prior to 1.16.0

Description A security issue was identified in Artifact Hub's code base where the registryIsDockerHub function only checked if the registry domain had the docker.io suffix. This allowed for the potential hijacking of Docker credentials by purchasing a domain ending with docker.io and deploying a fake OCI registry. The credentials in question are used to increase the rate limit when interacting with the Docker Hub registry API for publicly available content. Although the credentials used by artifacthub.io only have permissions to read public content, other deployments might have used them differently.

Recommendations For versions prior to 1.16.0, upgrade to version 1.16.0 to resolve the issue. As a temporary workaround, consider restricting the use of Docker credentials until the upgrade is applied. Avoid using the registryIsDockerHub function until the issue is resolved.