GO-2024-2842

See a problem?
Please try reporting it to the source first.
Source
https://pkg.go.dev/vuln/GO-2024-2842
Import Source
https://vuln.go.dev/ID/GO-2024-2842.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2024-2842
Aliases
Published
2024-05-20T19:45:51Z
Modified
2025-01-30T18:49:37Z
Summary
Unexpected authenticated registry accesses in github.com/containers/image/v5
Details

An attacker may trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

Database specific 
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-2842"
}
References

Affected packages

Go / github.com/containers/image/v5

Package

Name
github.com/containers/image/v5
View open source insights on deps.dev
Purl
pkg:golang/github.com/containers/image/v5

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.29.3
Introduced
5.30.0
Fixed
5.30.1

Ecosystem specific 

{
    "imports": [
        {
            "path": "github.com/containers/image/v5/copy",
            "symbols": [
                "Image",
                "copier.createProgressBar",
                "imageCopier.copyConfig",
                "imageCopier.copyLayer"
            ]
        },
        {
            "path": "github.com/containers/image/v5/directory",
            "symbols": [
                "dirImageDestination.PutBlobWithOptions",
                "dirImageDestination.PutManifest",
                "dirImageDestination.PutSignaturesWithFormat",
                "dirImageDestination.TryReusingBlobWithOptions",
                "dirImageSource.GetBlob",
                "dirImageSource.GetManifest",
                "dirImageSource.GetSignaturesWithFormat",
                "dirReference.NewImage"
            ]
        },
        {
            "path": "github.com/containers/image/v5/docker",
            "symbols": [
                "GetRepositoryTags",
                "Image.GetRepositoryTags",
                "deleteImage",
                "dockerClient.fetchManifest",
                "dockerClient.getBlob",
                "dockerClient.getExtensionsSignatures",
                "dockerClient.getSigstoreAttachmentManifest",
                "dockerImageDestination.PutBlobWithOptions",
                "dockerImageDestination.PutManifest",
                "dockerImageDestination.PutSignaturesWithFormat",
                "dockerImageDestination.TryReusingBlobWithOptions",
                "dockerImageDestination.blobExists",
                "dockerImageDestination.putSignaturesToLookaside",
                "dockerImageDestination.putSignaturesToSigstoreAttachments",
                "dockerImageSource.GetBlob",
                "dockerImageSource.GetBlobAt",
                "dockerImageSource.GetManifest",
                "dockerImageSource.GetSignaturesWithFormat",
                "dockerImageSource.getSignaturesFromLookaside",
                "dockerReference.DeleteImage",
                "dockerReference.NewImage",
                "dockerReference.NewImageSource",
                "lookasideStorageURL",
                "sigstoreAttachmentTag"
            ]
        },
        {
            "path": "github.com/containers/image/v5/docker/internal/tarfile",
            "symbols": [
                "Destination.PutBlobWithOptions",
                "Destination.PutManifest",
                "Writer.configPath",
                "Writer.ensureManifestItemLocked",
                "Writer.ensureSingleLegacyLayerLocked",
                "Writer.physicalLayerPath",
                "Writer.writeLegacyMetadataLocked"
            ]
        },
        {
            "path": "github.com/containers/image/v5/openshift",
            "symbols": [
                "openshiftImageDestination.PutBlobWithOptions",
                "openshiftImageDestination.PutManifest",
                "openshiftImageDestination.TryReusingBlobWithOptions",
                "openshiftImageSource.GetBlob",
                "openshiftImageSource.GetManifest",
                "openshiftImageSource.GetSignaturesWithFormat",
                "openshiftReference.NewImage"
            ]
        },
        {
            "path": "github.com/containers/image/v5/ostree",
            "symbols": [
                "ostreeImageDestination.Commit",
                "ostreeImageDestination.TryReusingBlobWithOptions",
                "ostreeImageSource.GetBlob"
            ]
        },
        {
            "path": "github.com/containers/image/v5/pkg/blobcache",
            "symbols": [
                "BlobCache.HasBlob",
                "BlobCache.NewImage",
                "BlobCache.blobPath",
                "BlobCache.findBlob",
                "blobCacheDestination.PutBlobWithOptions",
                "blobCacheDestination.PutManifest",
                "blobCacheDestination.TryReusingBlobWithOptions",
                "blobCacheDestination.saveStream",
                "blobCacheSource.GetBlob",
                "blobCacheSource.GetBlobAt",
                "blobCacheSource.GetManifest",
                "blobCacheSource.LayerInfosForCopy"
            ]
        },
        {
            "path": "github.com/containers/image/v5/storage",
            "symbols": [
                "ResolveReference",
                "manifestBigDataKey",
                "signatureBigDataKey",
                "storageImageDestination.Commit",
                "storageImageDestination.PutBlobWithOptions",
                "storageImageDestination.TryReusingBlobWithOptions",
                "storageImageDestination.tryReusingBlobAsPending",
                "storageImageSource.GetManifest",
                "storageImageSource.GetSignaturesWithFormat",
                "storageImageSource.LayerInfosForCopy",
                "storageReference.DeleteImage",
                "storageReference.NewImage",
                "storageReference.NewImageSource",
                "storageTransport.GetImage",
                "storageTransport.GetStoreImage"
            ]
        }
    ]
}