Description
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
Problem types
Improper Validation of Integrity Check Value
Product status
Any version before 5.29.3
5.30.0 (semver) before 5.30.1
1.3.4-9 (rpm) before *
4.4.5-2 (rpm) before *
4.4.5-2 (rpm) before *
4.4.5-2 (rpm) before *
4.4.5-4 (rpm) before *
4.4.5-3 (rpm) before *
4.4.5-2 (rpm) before *
4.4.5-2 (rpm) before *
4.4.5-2 (rpm) before *
4.4.5-3 (rpm) before *
4.4.5-2 (rpm) before *
4.4.5-2 (rpm) before *
4.4.5-3 (rpm) before *
4.4.5-3 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-1 (rpm) before *
4.5.2-2 (rpm) before *
4.5.2-2 (rpm) before *
8100020240808093819.afee755d (rpm) before *
2:1.37.2-1.el9 (rpm) before *
2:1.16.1-1.el9 (rpm) before *
2:5.2.2-1.el9 (rpm) before *
v1.8.4-22 (rpm) before *
3:4.4.1-13.rhaos4.13.el8 (rpm) before *
2:1.11.3-3.rhaos4.13.el8 (rpm) before *
v4.14.0-202407260439.p0.g8d9b39e.assembly.stream.el8 (rpm) before *
3:4.4.1-19.rhaos4.14.el9 (rpm) before *
2:1.11.3-3.rhaos4.14.el8 (rpm) before *
v4.15.0-202409172305.p0.g17536c8.assembly.stream.el8 (rpm) before *
v4.15.0-202409171307.p0.ged4651a.assembly.stream.el8 (rpm) before *
v4.15.0-202409161436.p0.g1f44c02.assembly.stream.el9 (rpm) before *
v4.15.0-202409120135.p0.gf7f5eed.assembly.stream.el9 (rpm) before *
v4.15.0-202409131835.p0.gadccbd5.assembly.stream.el9 (rpm) before *
v4.15.0-202409120135.p0.g8425d88.assembly.stream.el9 (rpm) before *
v4.15.0-202409130735.p0.gc03231f.assembly.stream.el9 (rpm) before *
v4.15.0-202409131635.p0.gb73e37f.assembly.stream.el9 (rpm) before *
v4.15.0-202409161836.p0.g092d15b.assembly.stream.el9 (rpm) before *
v4.15.0-202409180105.p0.g1fdd5b0.assembly.stream.el9 (rpm) before *
v4.15.0-202409180905.p0.gf6f61ca.assembly.stream.el8 (rpm) before *
v4.15.0-202409171307.p0.g160e7ca.assembly.stream.el8 (rpm) before *
v4.15.0-202409131635.p0.gb7c1d6a.assembly.stream.el9 (rpm) before *
v4.15.0-202409111636.p0.gf0c44f6.assembly.stream.el9 (rpm) before *
v4.15.0-202409120135.p0.g3ab953d.assembly.stream.el9 (rpm) before *
v4.15.0-202409111636.p0.g9ea52de.assembly.stream.el9 (rpm) before *
v4.15.0-202409111636.p0.gd80fe46.assembly.stream.el8 (rpm) before *
v4.15.0-202409120135.p0.g8de6f94.assembly.stream.el9 (rpm) before *
v4.15.0-202409171307.p0.g5d529dd.assembly.stream.el9 (rpm) before *
v4.15.0-202409180305.p0.g1da79fe.assembly.stream.el9 (rpm) before *
v4.15.0-202409180305.p0.g1da79fe.assembly.stream.el9 (rpm) before *
v4.15.0-202409172305.p0.g5af0be8.assembly.stream.el9 (rpm) before *
v4.15.0-202409172305.p0.g5af0be8.assembly.stream.el9 (rpm) before *
v4.15.0-202409130536.p0.g1d6a7ed.assembly.stream.el9 (rpm) before *
v4.15.0-202409161436.p0.g4121cfc.assembly.stream.el9 (rpm) before *
v4.15.0-202409120135.p0.g71a6f28.assembly.stream.el9 (rpm) before *
v4.15.0-202409180705.p0.g95ee44e.assembly.stream.el8 (rpm) before *
v4.15.0-202409161234.p0.g4e8d689.assembly.stream.el8 (rpm) before *
415.92.202409162258-0 (rpm) before *
3:4.4.1-30.rhaos4.15.el9 (rpm) before *
2:1.11.3-4.rhaos4.15.el8 (rpm) before *
v4.15.0-202410230304.p0.g366295f.assembly.stream.el9 (rpm) before *
v4.15.0-202410230304.p0.gfde2b2e.assembly.stream.el8 (rpm) before *
v4.15.0-202407230407.p0.gf3f8de5.assembly.stream.el9 (rpm) before *
4:4.9.4-5.1.rhaos4.16.el8 (rpm) before *
2:1.14.4-1.rhaos4.16.el9 (rpm) before *
0:1.29.5-7.rhaos4.16.git7db4ada.el9 (rpm) before *
v4.16.0-202407171536.p0.g1551101.assembly.stream.el9 (rpm) before *
v4.16.0-202409162206.p0.g6a425ab.assembly.stream.el9 (rpm) before *
v4.16.0-202409231504.p0.g342902b.assembly.stream.el9 (rpm) before *
v4.16.0-202410172201.p0.gb121e87.assembly.stream.el9 (rpm) before *
v4.17.0-202409122005.p0.gb170ad0.assembly.stream.el9 (rpm) before *
v4.17.0-202409100034.p0.g8d16b39.assembly.stream.el9 (rpm) before *
v4.17.0-202409101338.p0.gb0d86a0.assembly.stream.el9 (rpm) before *
v4.17.0-202409101338.p0.gb0d86a0.assembly.stream.el9 (rpm) before *
v4.17.0-202410022234.p0.gfbc55c6.assembly.stream.el9 (rpm) before *
v4.18.0-202502100934.p0.gc00c7c9.assembly.stream.el9 (rpm) before *
v4.18.0-202502040032.p0.ge5a4005.assembly.stream.el9 (rpm) before *
v4.18.0-202502041302.p0.g51a74ac.assembly.stream.el9 (rpm) before *
v4.18.0-202501230001.p0.g5348c85.assembly.stream.el9 (rpm) before *
v4.18.0-202502100153.p0.g120ba67.assembly.stream.el9 (rpm) before *
v4.18.0-202502060238.p0.g73d65db.assembly.stream.el9 (rpm) before *
v4.15.5-7 (rpm) before *
Timeline
| 2024-04-12: | Reported to Red Hat. |
| 2024-05-09: | Made public. |
References
access.redhat.com/errata/RHSA-2024:0045 (RHSA-2024:0045)
access.redhat.com/errata/RHSA-2024:4159 (RHSA-2024:4159)
access.redhat.com/errata/RHSA-2024:4613 (RHSA-2024:4613)
access.redhat.com/security/cve/CVE-2024-3727
bugzilla.redhat.com/show_bug.cgi?id=2274767 (RHBZ#2274767)
lists.fedoraproject.org/...4HEYS34N55G7NOQZKNEXZKQVNDGEICCD/
lists.fedoraproject.org/...6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP/
lists.fedoraproject.org/...CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/
lists.fedoraproject.org/...DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT/
lists.fedoraproject.org/...DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC/
lists.fedoraproject.org/...FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV/
lists.fedoraproject.org/...GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
lists.fedoraproject.org/...QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ/
lists.fedoraproject.org/...SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN/
access.redhat.com/errata/RHSA-2024:0045 (RHSA-2024:0045)
access.redhat.com/errata/RHSA-2024:3718 (RHSA-2024:3718)
access.redhat.com/errata/RHSA-2024:4159 (RHSA-2024:4159)
access.redhat.com/errata/RHSA-2024:4613 (RHSA-2024:4613)
access.redhat.com/errata/RHSA-2024:4850 (RHSA-2024:4850)
access.redhat.com/errata/RHSA-2024:4960 (RHSA-2024:4960)
access.redhat.com/errata/RHSA-2024:5258 (RHSA-2024:5258)
access.redhat.com/errata/RHSA-2024:5951 (RHSA-2024:5951)
access.redhat.com/errata/RHSA-2024:6054 (RHSA-2024:6054)
access.redhat.com/errata/RHSA-2024:6122 (RHSA-2024:6122)
access.redhat.com/errata/RHSA-2024:6708 (RHSA-2024:6708)
access.redhat.com/errata/RHSA-2024:6818 (RHSA-2024:6818)
access.redhat.com/errata/RHSA-2024:6824 (RHSA-2024:6824)
access.redhat.com/errata/RHSA-2024:7164 (RHSA-2024:7164)
access.redhat.com/errata/RHSA-2024:7174 (RHSA-2024:7174)
access.redhat.com/errata/RHSA-2024:7182 (RHSA-2024:7182)
access.redhat.com/errata/RHSA-2024:7187 (RHSA-2024:7187)
access.redhat.com/errata/RHSA-2024:7922 (RHSA-2024:7922)
access.redhat.com/errata/RHSA-2024:7941 (RHSA-2024:7941)
access.redhat.com/errata/RHSA-2024:8260 (RHSA-2024:8260)
access.redhat.com/errata/RHSA-2024:8425 (RHSA-2024:8425)
access.redhat.com/errata/RHSA-2024:9097 (RHSA-2024:9097)
access.redhat.com/errata/RHSA-2024:9098 (RHSA-2024:9098)
access.redhat.com/errata/RHSA-2024:9102 (RHSA-2024:9102)
access.redhat.com/errata/RHSA-2024:9960 (RHSA-2024:9960)
access.redhat.com/security/cve/CVE-2024-3727
bugzilla.redhat.com/show_bug.cgi?id=2274767 (RHBZ#2274767)
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
