logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-2253 github.com/docker/distribution

Package

Manager: go
Name: github.com/docker/distribution
Vulnerable Version: >=0 <2.8.2-beta.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00093 pctl0.27056

Details

distribution catalog API endpoint can lead to OOM via malicious user input ### Impact Systems that run `distribution` built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious `/v2/_catalog` API endpoint request. ### Patches Upgrade to at least 2.8.2-beta.1 if you are running `v2.8.x` release. If you use the code from the main branch, update at least to the commit after [f55a6552b006a381d9167e328808565dd2bf77dc](https://github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dc). ### Workarounds There is no way to work around this issue without patching. Restrict access to the affected API endpoint: see the recommendations section. ### References `/v2/_catalog` endpoint accepts a parameter to control the maximum amount of records returned (query string: `n`). When not given the default `n=100` is used. The server trusts that `n` has an acceptable value, however when using a maliciously large value, it allocates an array/slice of `n` of strings before filling the slice with data. This behaviour was introduced ~7yrs ago [1]. ### Recommendation The `/v2/_catalog` endpoint was designed specifically to do registry syncs with search or other API systems. Such an endpoint would create a lot of load on the backend system, due to overfetch required to serve a request in certain implementations. Because of this, we strongly recommend keeping this API endpoint behind heightened privilege and avoiding leaving it exposed to the internet. ### For more information If you have any questions or comments about this advisory: * Open an issue in [distribution repository](https://github.com/distribution/distribution) * Email us at [cncf-distribution-security@lists.cncf.io](mailto:cncf-distribution-security@lists.cncf.io) [1] [faulty commit](https://github.com/distribution/distribution/blob/b7e26bac741c76cb792f8e14c41a2163b5dae8df/registry/handlers/catalog.go#L45)

Metadata

Created: 2023-05-11T20:37:54Z
Modified: 2023-05-11T20:37:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-hqxw-f8mx-cpmw/GHSA-hqxw-f8mx-cpmw.json
CWE IDs: ["CWE-475", "CWE-770"]
Alternative ID: GHSA-hqxw-f8mx-cpmw
Finding: F067
Auto approve: 1