| id: GO-2021-0072 |
| modules: |
| - module: github.com/docker/distribution |
| versions: |
| - fixed: 2.7.0-rc.0+incompatible |
| vulnerable_at: 2.6.2+incompatible |
| vulnerable_at_requires: |
| - github.com/Sirupsen/logrus@v1.0.6 |
| packages: |
| - package: github.com/docker/distribution/registry/handlers |
| symbols: |
| - copyFullPayload |
| derived_symbols: |
| - App.ServeHTTP |
| - NewApp |
| - blobUploadHandler.PatchBlobData |
| - blobUploadHandler.PutBlobUploadComplete |
| - catalogHandler.GetCatalog |
| - imageManifestHandler.GetImageManifest |
| - imageManifestHandler.PutImageManifest |
| - package: github.com/docker/distribution/registry/storage |
| symbols: |
| - blobStore.Get |
| derived_symbols: |
| - PurgeUploads |
| - Walk |
| - blobStore.Enumerate |
| - linkedBlobStore.Enumerate |
| - linkedBlobStore.Get |
| - manifestStore.Enumerate |
| - manifestStore.Get |
| - registry.Enumerate |
| - registry.Repositories |
| summary: Uncontrolled resource allocation in github.com/docker/distribution |
| description: |- |
| Various storage methods do not impose limits on how much content is accepted |
| from user requests, allowing a malicious user to force the caller to allocate an |
| arbitrary amount of memory. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2017-11468 |
| ghsas: |
| - GHSA-h62f-wm92-2cmw |
| references: |
| - fix: https://github.com/distribution/distribution/pull/2340 |
| - fix: https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f |
| - web: https://access.redhat.com/errata/RHSA-2017:2603 |
| - web: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html |
| review_status: REVIEWED |