Description
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
Reserved 2024-04-12 | Published 2024-05-09 | Updated 2025-01-13 | Assigner
redhatHIGH: 8.3CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Problem types
Improper Validation of Integrity Check Value
Product status
Default status
unaffected
Any version before 5.29.3
affected
5.30.0 before 5.30.1
affected
Default status
affected
1.3.4-9 before *
unaffected
Default status
affected
4.4.5-2 before *
unaffected
Default status
affected
4.4.5-2 before *
unaffected
Default status
affected
4.4.5-2 before *
unaffected
Default status
affected
4.4.5-4 before *
unaffected
Default status
affected
4.4.5-3 before *
unaffected
Default status
affected
4.4.5-2 before *
unaffected
Default status
affected
4.4.5-2 before *
unaffected
Default status
affected
4.4.5-2 before *
unaffected
Default status
affected
4.4.5-3 before *
unaffected
Default status
affected
4.4.5-2 before *
unaffected
Default status
affected
4.4.5-2 before *
unaffected
Default status
affected
4.4.5-3 before *
unaffected
Default status
affected
4.4.5-3 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-1 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
4.5.2-2 before *
unaffected
Default status
affected
8100020240808093819.afee755d before *
unaffected
Default status
affected
2:1.37.2-1.el9 before *
unaffected
Default status
affected
2:1.16.1-1.el9 before *
unaffected
Default status
affected
2:5.2.2-1.el9 before *
unaffected
Default status
affected
v1.8.4-22 before *
unaffected
Default status
affected
3:4.4.1-13.rhaos4.13.el8 before *
unaffected
Default status
affected
2:1.11.3-3.rhaos4.13.el8 before *
unaffected
Default status
affected
v4.14.0-202407260439.p0.g8d9b39e.assembly.stream.el8 before *
unaffected
Default status
affected
3:4.4.1-19.rhaos4.14.el9 before *
unaffected
Default status
affected
2:1.11.3-3.rhaos4.14.el9 before *
unaffected
Default status
affected
3:4.4.1-30.rhaos4.15.el9 before *
unaffected
Default status
affected
2:1.11.3-4.rhaos4.15.el8 before *
unaffected
Default status
affected
v4.15.0-202410230304.p0.g366295f.assembly.stream.el9 before *
unaffected
Default status
affected
v4.15.0-202410230304.p0.gfde2b2e.assembly.stream.el8 before *
unaffected
Default status
affected
v4.15.0-202407230407.p0.gf3f8de5.assembly.stream.el9 before *
unaffected
Default status
affected
4:4.9.4-5.1.rhaos4.16.el8 before *
unaffected
Default status
affected
2:1.14.4-1.rhaos4.16.el9 before *
unaffected
Default status
affected
0:1.29.5-7.rhaos4.16.git7db4ada.el8 before *
unaffected
Default status
affected
v4.16.0-202407171536.p0.g1551101.assembly.stream.el9 before *
unaffected
Default status
affected
v4.16.0-202409162206.p0.g6a425ab.assembly.stream.el9 before *
unaffected
Default status
affected
v4.16.0-202409231504.p0.g342902b.assembly.stream.el9 before *
unaffected
Default status
affected
v4.16.0-202410172201.p0.gb121e87.assembly.stream.el9 before *
unaffected
Default status
affected
v4.17.0-202409122005.p0.gb170ad0.assembly.stream.el9 before *
unaffected
Default status
affected
v4.17.0-202409100034.p0.g8d16b39.assembly.stream.el9 before *
unaffected
Default status
affected
v4.17.0-202409101338.p0.gb0d86a0.assembly.stream.el9 before *
unaffected
Default status
affected
v4.17.0-202409101338.p0.gb0d86a0.assembly.stream.el9 before *
unaffected
Default status
affected
v4.17.0-202410022234.p0.gfbc55c6.assembly.stream.el9 before *
unaffected
Default status
affected
v4.15.5-7 before *
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
unknown
Default status
unknown
Default status
unknown
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
unaffected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
unknown
Default status
unknown
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Timeline
2024-04-12: | Reported to Red Hat. |
2024-05-09: | Made public. |
References
access.redhat.com/errata/RHSA-2024:0045 (RHSA-2024:0045) vendor-advisory
access.redhat.com/errata/RHSA-2024:3718 (RHSA-2024:3718) vendor-advisory
access.redhat.com/errata/RHSA-2024:4159 (RHSA-2024:4159) vendor-advisory
access.redhat.com/errata/RHSA-2024:4613 (RHSA-2024:4613) vendor-advisory
access.redhat.com/errata/RHSA-2024:4850 (RHSA-2024:4850) vendor-advisory
access.redhat.com/errata/RHSA-2024:4960 (RHSA-2024:4960) vendor-advisory
access.redhat.com/errata/RHSA-2024:5258 (RHSA-2024:5258) vendor-advisory
access.redhat.com/errata/RHSA-2024:5951 (RHSA-2024:5951) vendor-advisory
access.redhat.com/errata/RHSA-2024:6054 (RHSA-2024:6054) vendor-advisory
access.redhat.com/errata/RHSA-2024:6708 (RHSA-2024:6708) vendor-advisory
access.redhat.com/errata/RHSA-2024:6824 (RHSA-2024:6824) vendor-advisory
access.redhat.com/errata/RHSA-2024:7164 (RHSA-2024:7164) vendor-advisory
access.redhat.com/errata/RHSA-2024:7174 (RHSA-2024:7174) vendor-advisory
access.redhat.com/errata/RHSA-2024:7182 (RHSA-2024:7182) vendor-advisory
access.redhat.com/errata/RHSA-2024:7187 (RHSA-2024:7187) vendor-advisory
access.redhat.com/errata/RHSA-2024:7922 (RHSA-2024:7922) vendor-advisory
access.redhat.com/errata/RHSA-2024:7941 (RHSA-2024:7941) vendor-advisory
access.redhat.com/errata/RHSA-2024:8260 (RHSA-2024:8260) vendor-advisory
access.redhat.com/errata/RHSA-2024:8425 (RHSA-2024:8425) vendor-advisory
access.redhat.com/errata/RHSA-2024:9097 (RHSA-2024:9097) vendor-advisory
access.redhat.com/errata/RHSA-2024:9098 (RHSA-2024:9098) vendor-advisory
access.redhat.com/errata/RHSA-2024:9102 (RHSA-2024:9102) vendor-advisory
access.redhat.com/errata/RHSA-2024:9960 (RHSA-2024:9960) vendor-advisory
access.redhat.com/security/cve/CVE-2024-3727 vdb-entry
bugzilla.redhat.com/show_bug.cgi?id=2274767 (RHBZ#2274767) issue-tracking
cve.org (CVE-2024-3727)
nvd.nist.gov (CVE-2024-3727)
Download JSON