blob: 9c16779e4eec7e890afa867a2c9e470b652a856f [file] [log] [blame]
id: GO-2021-0072
modules:
- module: github.com/docker/distribution
versions:
- fixed: 2.7.0-rc.0+incompatible
vulnerable_at: 2.6.2+incompatible
vulnerable_at_requires:
- github.com/Sirupsen/logrus@v1.0.6
packages:
- package: github.com/docker/distribution/registry/handlers
symbols:
- copyFullPayload
derived_symbols:
- App.ServeHTTP
- NewApp
- blobUploadHandler.PatchBlobData
- blobUploadHandler.PutBlobUploadComplete
- catalogHandler.GetCatalog
- imageManifestHandler.GetImageManifest
- imageManifestHandler.PutImageManifest
- package: github.com/docker/distribution/registry/storage
symbols:
- blobStore.Get
derived_symbols:
- PurgeUploads
- Walk
- blobStore.Enumerate
- linkedBlobStore.Enumerate
- linkedBlobStore.Get
- manifestStore.Enumerate
- manifestStore.Get
- registry.Enumerate
- registry.Repositories
summary: Uncontrolled resource allocation in github.com/docker/distribution
description: |-
Various storage methods do not impose limits on how much content is accepted
from user requests, allowing a malicious user to force the caller to allocate an
arbitrary amount of memory.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2017-11468
ghsas:
- GHSA-h62f-wm92-2cmw
references:
- fix: https://github.com/distribution/distribution/pull/2340
- fix: https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f
- web: https://access.redhat.com/errata/RHSA-2017:2603
- web: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html
review_status: REVIEWED