Fluid Attacks Database

Description

Docker Registry has Allocation of Resources Without Limits or Throttling Docker Registry before 2.6.2 in Docker Distribution does not properly restrict the amount of content accepted from a user, which allows remote attackers to cause a denial of service (memory consumption) via the manifest endpoint.

Specific Go Packages Affected

github.com/docker/distribution/registry/storage github.com/docker/distribution/registry/handlers

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/docker/distribution	>=0 <2.7.0-rc.0	2.7.0-rc.0
go	github.com/docker/distribution/registry/handlers	>=0 <2.7.0-rc.0	v2.7.0-rc.0
go	github.com/docker/distribution/registry/storage	>=0 <2.7.0-rc.0	v2.7.0-rc.0
debian 13	docker-registry	>=0 <2.6.2~ds1-1	2.6.2~ds1-1
debian 12	docker-registry	>=0 <2.6.2~ds1-1	2.6.2~ds1-1
debian 14	docker-registry	>=0 <2.6.2~ds1-1	2.6.2~ds1-1
debian 11	docker-registry	>=0 <2.6.2~ds1-1	2.6.2~ds1-1

Aliases

1. CVE-2017-114682. NVD-2017-114683. OSV-2017-114684. OSV-DEBIAN-2017-114685. GHSA-h62f-wm92-2cmw6. GCVE-2017-114687. access.redhat.com8. SECURITY-TRACKER-CVE-2017-11468

References

1. https://github.com/distribution/distribution/pull/23402. https://github.com/docker/distribution/pull/23403. https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f4. https://github.com/docker/distribution/releases/tag/v2.6.25. https://pkg.go.dev/vuln/GO-2021-00726. http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html