Assigner | redhat |
Reserved | 2024-04-12 |
Published | 2024-05-09 |
Updated | 2024-07-24 |
Description
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
HIGH: 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
Problem types
Improper Validation of Integrity Check Value
Product status
Default status
affected
4:4.9.4-5.1.rhaos4.16.el9 before *
unaffected
Default status
affected
2:1.14.4-1.rhaos4.16.el8 before *
unaffected
Default status
affected
0:1.29.5-7.rhaos4.16.git7db4ada.el9 before *
unaffected
Default status
affected
v4.16.0-202407171536.p0.g1551101.assembly.stream.el9 before *
unaffected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
unknown
Default status
unknown
Default status
unknown
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
unaffected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
unknown
Default status
unknown
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
unaffected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Default status
affected
Timeline
2024-04-12: | Reported to Red Hat. |
2024-05-09: | Made public. |
References
https://access.redhat.com/errata/RHSA-2024:0045 (RHSA-2024:0045) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:4159 (RHSA-2024:4159) vendor-advisory
https://access.redhat.com/errata/RHSA-2024:4613 (RHSA-2024:4613) vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-3727 vdb-entry
https://bugzilla.redhat.com/show_bug.cgi?id=2274767 (RHBZ#2274767) issue-tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HEYS34N55G7NOQZKNEXZKQVNDGEICCD/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN/
cve.org CVE-2024-3727
nvd.nist.gov CVE-2024-3727
Download JSON