GHSA-7qw8-847f-pggm

Suggest an improvement
Source
https://github.com/advisories/GHSA-7qw8-847f-pggm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-7qw8-847f-pggm/GHSA-7qw8-847f-pggm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7qw8-847f-pggm
Aliases
Published
2021-05-10T19:35:07Z
Modified
2023-11-08T04:04:36.808520Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Improper Locking in github.com/containers/storage
Details

A deadlock vulnerability was found in github.com/containers/storage in versions before 1.28.1. When a container image is processed, each layer is unpacked using tar. If one of those layers is not a valid tar archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).

Database specific
{
    "nvd_published_at": "2021-04-01T18:15:00Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-667"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-04T19:15:55Z"
}
References

Affected packages

Go / github.com/containers/storage

Package

Name
github.com/containers/storage
View open source insights on deps.dev
Purl
pkg:golang/github.com/containers/storage

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.1