CVE-2023-2253 (Medium) detected in github.com/docker/distribution-v2.7.1+incompatible

[mend-bolt-for-github]

CVE-2023-2253 - Medium Severity Vulnerability

Vulnerable Library - github.com/docker/distribution-v2.7.1+incompatible

The Docker toolset to pack, ship, store, and deliver content

Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.7.1+incompatible.zip

Dependency Hierarchy:

• github.com/genuinetools/reg-v0.16.1 (Root Library)
  • ❌ github.com/docker/distribution-v2.7.1+incompatible (Vulnerable Library)

Found in HEAD commit: 2d8758c5c6af81f1b5149d3ef236b7f962895dbe

Found in base branch: main

Vulnerability Details

A flaw was found in the /v2/_catalog endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: n). This vulnerability allows a malicious user to submit an unreasonably large value for n, causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.

Publish Date: 2023-06-06

URL: CVE-2023-2253

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hqxw-f8mx-cpmw

Release Date: 2023-04-24

Fix Resolution: v2.8.2

---

Step up your Open Source Security Game with Mend here