GO-2024-2842

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2024-2842

Import Source

https://vuln.go.dev/ID/GO-2024-2842.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-2842

Aliases

Published

2024-05-20T19:45:51Z

Modified

2024-05-20T20:13:51.584988Z

Summary

Unexpected authenticated registry accesses in github.com/containers/image/v5

Details

An attacker may trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

References

Affected packages

Go / github.com/containers/image/v5

Package

Name: github.com/containers/image/v5; View open source insights on deps.dev
Purl: pkg:golang/github.com/containers/image/v5

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.30.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/containers/image/v5/copy",
            "symbols": [
                "Image",
                "copier.createProgressBar",
                "imageCopier.copyConfig",
                "imageCopier.copyLayer"
            ]
        },
        {
            "path": "github.com/containers/image/v5/directory",
            "symbols": [
                "dirImageDestination.PutBlobWithOptions",
                "dirImageDestination.PutManifest",
                "dirImageDestination.PutSignaturesWithFormat",
                "dirImageDestination.TryReusingBlobWithOptions",
                "dirImageSource.GetBlob",
                "dirImageSource.GetManifest",
                "dirImageSource.GetSignaturesWithFormat",
                "dirReference.NewImage"
            ]
        },
        {
            "path": "github.com/containers/image/v5/docker",
            "symbols": [
                "GetRepositoryTags",
                "Image.GetRepositoryTags",
                "deleteImage",
                "dockerClient.fetchManifest",
                "dockerClient.getBlob",
                "dockerClient.getExtensionsSignatures",
                "dockerClient.getSigstoreAttachmentManifest",
                "dockerImageDestination.PutBlobWithOptions",
                "dockerImageDestination.PutManifest",
                "dockerImageDestination.PutSignaturesWithFormat",
                "dockerImageDestination.TryReusingBlobWithOptions",
                "dockerImageDestination.blobExists",
                "dockerImageDestination.putSignaturesToLookaside",
                "dockerImageDestination.putSignaturesToSigstoreAttachments",
                "dockerImageSource.GetBlob",
                "dockerImageSource.GetBlobAt",
                "dockerImageSource.GetManifest",
                "dockerImageSource.GetSignaturesWithFormat",
                "dockerImageSource.getSignaturesFromLookaside",
                "dockerReference.DeleteImage",
                "dockerReference.NewImage",
                "dockerReference.NewImageSource",
                "lookasideStorageURL",
                "sigstoreAttachmentTag"
            ]
        },
        {
            "path": "github.com/containers/image/v5/docker/internal/tarfile",
            "symbols": [
                "Destination.PutBlobWithOptions",
                "Destination.PutManifest",
                "Writer.configPath",
                "Writer.ensureManifestItemLocked",
                "Writer.ensureSingleLegacyLayerLocked",
                "Writer.physicalLayerPath",
                "Writer.writeLegacyMetadataLocked"
            ]
        },
        {
            "path": "github.com/containers/image/v5/openshift",
            "symbols": [
                "openshiftImageDestination.PutBlobWithOptions",
                "openshiftImageDestination.PutManifest",
                "openshiftImageDestination.TryReusingBlobWithOptions",
                "openshiftImageSource.GetBlob",
                "openshiftImageSource.GetManifest",
                "openshiftImageSource.GetSignaturesWithFormat",
                "openshiftReference.NewImage"
            ]
        },
        {
            "path": "github.com/containers/image/v5/ostree",
            "symbols": [
                "ostreeImageDestination.Commit",
                "ostreeImageDestination.TryReusingBlobWithOptions",
                "ostreeImageSource.GetBlob"
            ]
        },
        {
            "path": "github.com/containers/image/v5/pkg/blobcache",
            "symbols": [
                "BlobCache.HasBlob",
                "BlobCache.NewImage",
                "BlobCache.blobPath",
                "BlobCache.findBlob",
                "blobCacheDestination.PutBlobWithOptions",
                "blobCacheDestination.PutManifest",
                "blobCacheDestination.TryReusingBlobWithOptions",
                "blobCacheDestination.saveStream",
                "blobCacheSource.GetBlob",
                "blobCacheSource.GetBlobAt",
                "blobCacheSource.GetManifest",
                "blobCacheSource.LayerInfosForCopy"
            ]
        },
        {
            "path": "github.com/containers/image/v5/storage",
            "symbols": [
                "ResolveReference",
                "manifestBigDataKey",
                "signatureBigDataKey",
                "storageImageDestination.Commit",
                "storageImageDestination.PutBlobWithOptions",
                "storageImageDestination.TryReusingBlobWithOptions",
                "storageImageDestination.tryReusingBlobAsPending",
                "storageImageSource.GetManifest",
                "storageImageSource.GetSignaturesWithFormat",
                "storageImageSource.LayerInfosForCopy",
                "storageReference.DeleteImage",
                "storageReference.NewImage",
                "storageReference.NewImageSource",
                "storageTransport.GetImage",
                "storageTransport.GetStoreImage"
            ]
        }
    ]
}