data/reports/GO-2021-0072.yaml - vulndb - Git at Google

 id: GO-2021-0072
 modules:
     - module: github.com/docker/distribution
       versions:
         - fixed: 2.7.0-rc.0+incompatible
       vulnerable_at: 2.6.2+incompatible
       vulnerable_at_requires:
         - github.com/Sirupsen/logrus@v1.0.6
       packages:
         - package: github.com/docker/distribution/registry/handlers
           symbols:
             - copyFullPayload
           derived_symbols:
             - NewApp
             - blobUploadHandler.PatchBlobData
             - blobUploadHandler.PutBlobUploadComplete
             - catalogHandler.GetCatalog
             - imageManifestHandler.GetImageManifest
             - imageManifestHandler.PutImageManifest
         - package: github.com/docker/distribution/registry/storage
           symbols:
             - blobStore.Get
           derived_symbols:
             - PurgeUploads
             - Walk
             - blobStore.Enumerate
             - linkedBlobStore.Enumerate
             - linkedBlobStore.Get
             - manifestStore.Enumerate
             - manifestStore.Get
             - registry.Enumerate
             - registry.Repositories
 summary: Uncontrolled resource allocation in github.com/docker/distribution
 description: |-
     Various storage methods do not impose limits on how much content is accepted
     from user requests, allowing a malicious user to force the caller to allocate an
     arbitrary amount of memory.
 published: 2021-04-14T20:04:52Z
 cves:
     - CVE-2017-11468
 ghsas:
     - GHSA-h62f-wm92-2cmw
 references:
     - fix: https://github.com/distribution/distribution/pull/2340
     - fix: https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f
     - web: https://access.redhat.com/errata/RHSA-2017:2603
     - web: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html
	id: GO-2021-0072
	modules:
	- module: github.com/docker/distribution
	versions:
	- fixed: 2.7.0-rc.0+incompatible
	vulnerable_at: 2.6.2+incompatible
	vulnerable_at_requires:
	- github.com/Sirupsen/logrus@v1.0.6
	packages:
	- package: github.com/docker/distribution/registry/handlers
	symbols:
	- copyFullPayload
	derived_symbols:
	- NewApp
	- blobUploadHandler.PatchBlobData
	- blobUploadHandler.PutBlobUploadComplete
	- catalogHandler.GetCatalog
	- imageManifestHandler.GetImageManifest
	- imageManifestHandler.PutImageManifest
	- package: github.com/docker/distribution/registry/storage
	symbols:
	- blobStore.Get
	derived_symbols:
	- PurgeUploads
	- Walk
	- blobStore.Enumerate
	- linkedBlobStore.Enumerate
	- linkedBlobStore.Get
	- manifestStore.Enumerate
	- manifestStore.Get
	- registry.Enumerate
	- registry.Repositories
	summary: Uncontrolled resource allocation in github.com/docker/distribution
	description: \|-
	Various storage methods do not impose limits on how much content is accepted
	from user requests, allowing a malicious user to force the caller to allocate an
	arbitrary amount of memory.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2017-11468
	ghsas:
	- GHSA-h62f-wm92-2cmw
	references:
	- fix: https://github.com/distribution/distribution/pull/2340
	- fix: https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f
	- web: https://access.redhat.com/errata/RHSA-2017:2603
	- web: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html