data/reports/GO-2021-0072.yaml - vulndb - Git at Google

 modules:
   - module: github.com/docker/distribution
     versions:
       - fixed: 2.7.0-rc.0+incompatible
     vulnerable_at: 2.6.2+incompatible
     vulnerable_at_requires:
       - github.com/Sirupsen/logrus@v1.0.6
     packages:
       - package: github.com/docker/distribution/registry/handlers
         symbols:
           - copyFullPayload
         derived_symbols:
           - NewApp
           - blobUploadHandler.PatchBlobData
           - blobUploadHandler.PutBlobUploadComplete
           - catalogHandler.GetCatalog
           - imageManifestHandler.GetImageManifest
           - imageManifestHandler.PutImageManifest
       - package: github.com/docker/distribution/registry/storage
         symbols:
           - blobStore.Get
         derived_symbols:
           - PurgeUploads
           - Walk
           - blobStore.Enumerate
           - linkedBlobStore.Enumerate
           - linkedBlobStore.Get
           - manifestStore.Enumerate
           - manifestStore.Get
           - registry.Enumerate
           - registry.Repositories
 description: |
     Various storage methods do not impose limits on how much content is accepted
     from user requests, allowing a malicious user to force the caller to allocate
     an arbitrary amount of memory.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2017-11468
 ghsas:
   - GHSA-h62f-wm92-2cmw
 references:
   - fix: https://github.com/distribution/distribution/pull/2340
   - fix: https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f
   - web: https://access.redhat.com/errata/RHSA-2017:2603
   - web: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html
	modules:
	- module: github.com/docker/distribution
	versions:
	- fixed: 2.7.0-rc.0+incompatible
	vulnerable_at: 2.6.2+incompatible
	vulnerable_at_requires:
	- github.com/Sirupsen/logrus@v1.0.6
	packages:
	- package: github.com/docker/distribution/registry/handlers
	symbols:
	- copyFullPayload
	derived_symbols:
	- NewApp
	- blobUploadHandler.PatchBlobData
	- blobUploadHandler.PutBlobUploadComplete
	- catalogHandler.GetCatalog
	- imageManifestHandler.GetImageManifest
	- imageManifestHandler.PutImageManifest
	- package: github.com/docker/distribution/registry/storage
	symbols:
	- blobStore.Get
	derived_symbols:
	- PurgeUploads
	- Walk
	- blobStore.Enumerate
	- linkedBlobStore.Enumerate
	- linkedBlobStore.Get
	- manifestStore.Enumerate
	- manifestStore.Get
	- registry.Enumerate
	- registry.Repositories
	description: \|
	Various storage methods do not impose limits on how much content is accepted
	from user requests, allowing a malicious user to force the caller to allocate
	an arbitrary amount of memory.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2017-11468
	ghsas:
	- GHSA-h62f-wm92-2cmw
	references:
	- fix: https://github.com/distribution/distribution/pull/2340
	- fix: https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f
	- web: https://access.redhat.com/errata/RHSA-2017:2603
	- web: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html