| { |
| "schema_version": "1.3.1", |
| "id": "GO-2024-2842", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2024-3727", |
| "GHSA-6wvf-f2vw-3425" |
| ], |
| "summary": "Unexpected authenticated registry accesses in github.com/containers/image/v5", |
| "details": "An attacker may trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/containers/image/v5", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "5.30.1" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/containers/image/v5/copy", |
| "symbols": [ |
| "Image", |
| "copier.createProgressBar", |
| "imageCopier.copyConfig", |
| "imageCopier.copyLayer" |
| ] |
| }, |
| { |
| "path": "github.com/containers/image/v5/directory", |
| "symbols": [ |
| "dirImageDestination.PutBlobWithOptions", |
| "dirImageDestination.PutManifest", |
| "dirImageDestination.PutSignaturesWithFormat", |
| "dirImageDestination.TryReusingBlobWithOptions", |
| "dirImageSource.GetBlob", |
| "dirImageSource.GetManifest", |
| "dirImageSource.GetSignaturesWithFormat", |
| "dirReference.NewImage" |
| ] |
| }, |
| { |
| "path": "github.com/containers/image/v5/docker", |
| "symbols": [ |
| "GetRepositoryTags", |
| "Image.GetRepositoryTags", |
| "deleteImage", |
| "dockerClient.fetchManifest", |
| "dockerClient.getBlob", |
| "dockerClient.getExtensionsSignatures", |
| "dockerClient.getSigstoreAttachmentManifest", |
| "dockerImageDestination.PutBlobWithOptions", |
| "dockerImageDestination.PutManifest", |
| "dockerImageDestination.PutSignaturesWithFormat", |
| "dockerImageDestination.TryReusingBlobWithOptions", |
| "dockerImageDestination.blobExists", |
| "dockerImageDestination.putSignaturesToLookaside", |
| "dockerImageDestination.putSignaturesToSigstoreAttachments", |
| "dockerImageSource.GetBlob", |
| "dockerImageSource.GetBlobAt", |
| "dockerImageSource.GetManifest", |
| "dockerImageSource.GetSignaturesWithFormat", |
| "dockerImageSource.getSignaturesFromLookaside", |
| "dockerReference.DeleteImage", |
| "dockerReference.NewImage", |
| "dockerReference.NewImageSource", |
| "lookasideStorageURL", |
| "sigstoreAttachmentTag" |
| ] |
| }, |
| { |
| "path": "github.com/containers/image/v5/docker/internal/tarfile", |
| "symbols": [ |
| "Destination.PutBlobWithOptions", |
| "Destination.PutManifest", |
| "Writer.configPath", |
| "Writer.ensureManifestItemLocked", |
| "Writer.ensureSingleLegacyLayerLocked", |
| "Writer.physicalLayerPath", |
| "Writer.writeLegacyMetadataLocked" |
| ] |
| }, |
| { |
| "path": "github.com/containers/image/v5/openshift", |
| "symbols": [ |
| "openshiftImageDestination.PutBlobWithOptions", |
| "openshiftImageDestination.PutManifest", |
| "openshiftImageDestination.TryReusingBlobWithOptions", |
| "openshiftImageSource.GetBlob", |
| "openshiftImageSource.GetManifest", |
| "openshiftImageSource.GetSignaturesWithFormat", |
| "openshiftReference.NewImage" |
| ] |
| }, |
| { |
| "path": "github.com/containers/image/v5/ostree", |
| "symbols": [ |
| "ostreeImageDestination.Commit", |
| "ostreeImageDestination.TryReusingBlobWithOptions", |
| "ostreeImageSource.GetBlob" |
| ] |
| }, |
| { |
| "path": "github.com/containers/image/v5/pkg/blobcache", |
| "symbols": [ |
| "BlobCache.HasBlob", |
| "BlobCache.NewImage", |
| "BlobCache.blobPath", |
| "BlobCache.findBlob", |
| "blobCacheDestination.PutBlobWithOptions", |
| "blobCacheDestination.PutManifest", |
| "blobCacheDestination.TryReusingBlobWithOptions", |
| "blobCacheDestination.saveStream", |
| "blobCacheSource.GetBlob", |
| "blobCacheSource.GetBlobAt", |
| "blobCacheSource.GetManifest", |
| "blobCacheSource.LayerInfosForCopy" |
| ] |
| }, |
| { |
| "path": "github.com/containers/image/v5/storage", |
| "symbols": [ |
| "ResolveReference", |
| "manifestBigDataKey", |
| "signatureBigDataKey", |
| "storageImageDestination.Commit", |
| "storageImageDestination.PutBlobWithOptions", |
| "storageImageDestination.TryReusingBlobWithOptions", |
| "storageImageDestination.tryReusingBlobAsPending", |
| "storageImageSource.GetManifest", |
| "storageImageSource.GetSignaturesWithFormat", |
| "storageImageSource.LayerInfosForCopy", |
| "storageReference.DeleteImage", |
| "storageReference.NewImage", |
| "storageReference.NewImageSource", |
| "storageTransport.GetImage", |
| "storageTransport.GetStoreImage" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "ADVISORY", |
| "url": "https://github.com/advisories/GHSA-6wvf-f2vw-3425" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/containers/image/commit/132678b47bae29c710589012668cb85859d88385" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://access.redhat.com/security/cve/CVE-2024-3727" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274767" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://github.com/containers/image/releases/tag/v5.30.1" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2024-2842", |
| "review_status": "REVIEWED" |
| } |
| } |
