Authorization Bypass Through User-Controlled Key

Summary

Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). The issue lies in how the "JSON web key" (JWK) verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (`kid`) matches one of the trusted keys, but doesn't verify that the actual key material matches. There is no way to work around this issue without patching if the system requires token authentication. This issue affects github.com/distribution/distribution/v3 versions 3.0.0-beta.1 through 3.0.0-rc.2.