Vulnerability Report: GO-2024-2842

CVE-2024-3727, GHSA-6wvf-f2vw-3425
Affects: github.com/containers/image/v5
Published: May 20, 2024

An attacker may trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-6wvf-f2vw-3425.

Affected Packages

Path

Versions

Symbols
github.com/containers/image/v5/copy

before v5.30.1
- Image
github.com/containers/image/v5/directory

before v5.30.1
8 unexported affected symbols
- dirImageDestination.PutBlobWithOptions
- dirImageDestination.PutManifest
- dirImageDestination.PutSignaturesWithFormat
- dirImageDestination.TryReusingBlobWithOptions
- dirImageSource.GetBlob
- dirImageSource.GetManifest
- dirImageSource.GetSignaturesWithFormat
- dirReference.NewImage
github.com/containers/image/v5/docker

before v5.30.1
- GetRepositoryTags
- Image.GetRepositoryTags
github.com/containers/image/v5/docker/internal/tarfile

before v5.30.1
- Destination.PutBlobWithOptions
- Destination.PutManifest
github.com/containers/image/v5/openshift

before v5.30.1
7 unexported affected symbols
- openshiftImageDestination.PutBlobWithOptions
- openshiftImageDestination.PutManifest
- openshiftImageDestination.TryReusingBlobWithOptions
- openshiftImageSource.GetBlob
- openshiftImageSource.GetManifest
- openshiftImageSource.GetSignaturesWithFormat
- openshiftReference.NewImage
github.com/containers/image/v5/ostree

before v5.30.1
3 unexported affected symbols
- ostreeImageDestination.Commit
- ostreeImageDestination.TryReusingBlobWithOptions
- ostreeImageSource.GetBlob
github.com/containers/image/v5/pkg/blobcache

before v5.30.1
- BlobCache.HasBlob
- BlobCache.NewImage
github.com/containers/image/v5/storage

before v5.30.1
- ResolveReference

Aliases

References

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL