CVE-2024-3727: Containers/image: digest type does not guarantee valid type
First published: Fri Apr 12 2024(Updated: )
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/containers/image/v5 | <5.29.3 | 5.29.3 |
| go/github.com/containers/image/v5 | >=5.30.0<5.30.1 | 5.30.1 |
| go/github.com/containers/image | <5.30.1 | 5.30.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:0045
- https://access.redhat.com/errata/RHSA-2024:3718
- https://access.redhat.com/errata/RHSA-2024:4159
- https://access.redhat.com/errata/RHSA-2024:4613
- https://access.redhat.com/errata/RHSA-2024:4850
- https://access.redhat.com/errata/RHSA-2024:4960
- https://access.redhat.com/errata/RHSA-2024:5258
- https://access.redhat.com/errata/RHSA-2024:5951
- https://access.redhat.com/errata/RHSA-2024:6054
- https://access.redhat.com/errata/RHSA-2024:6708
- https://access.redhat.com/errata/RHSA-2024:6818
- https://access.redhat.com/errata/RHSA-2024:6824
- https://access.redhat.com/errata/RHSA-2024:7164
- https://access.redhat.com/errata/RHSA-2024:7174
- https://access.redhat.com/errata/RHSA-2024:7182
- https://access.redhat.com/errata/RHSA-2024:7187
- https://access.redhat.com/errata/RHSA-2024:7922
- https://access.redhat.com/errata/RHSA-2024:7941
- https://access.redhat.com/errata/RHSA-2024:8260
- https://access.redhat.com/errata/RHSA-2024:8425
- https://access.redhat.com/errata/RHSA-2024:9097
- https://access.redhat.com/errata/RHSA-2024:9098
- https://access.redhat.com/errata/RHSA-2024:9102
- https://access.redhat.com/errata/RHSA-2024:9960
- https://access.redhat.com/security/cve/CVE-2024-3727
- https://bugzilla.redhat.com/show_bug.cgi?id=2274767
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HEYS34N55G7NOQZKNEXZKQVNDGEICCD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN/
- https://www.ibm.com/support/pages/node/7182403 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2024-3727
- https://github.com/containers/image/releases/tag/v5.30.1
- https://github.com/containers/image/commit/132678b47bae29c710589012668cb85859d88385
- https://github.com/containers/image/commit/e8948046055060605bd68289d406ce149590c33a
- https://github.com/containers/image/releases/tag/v5.29.3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HEYS34N55G7NOQZKNEXZKQVNDGEICCD
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ
- https://github.com/advisories/GHSA-6wvf-f2vw-3425 (Advisory)
- https://access.redhat.com/errata/RHSA-2024:6122
- https://issues.redhat.com/browse/OCPBUGS-25269
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284366
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284369
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284370
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284371
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284386
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284372
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284367
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284373
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284374
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284375
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284376
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284377
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284378
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284379
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284380
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284381
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284382
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284368
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284383
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284384
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2284385
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2274767#c35
- https://flappybirdgame.io
- https://www.daisypoliklinik.com/btl-exion-istanbul/
- https://www.dytiremcevik.com/online-diyet/
Frequently Asked Questions
What is the severity of CVE-2024-3727?
CVE-2024-3727 has a high severity rating due to its potential for resource exhaustion and local path traversal attacks.
How do I fix CVE-2024-3727?
To fix CVE-2024-3727, update the github.com/containers/image library to version 5.29.3 or 5.30.1 or later.
What types of attacks can be performed using CVE-2024-3727?
CVE-2024-3727 can be exploited to trigger unexpected authenticated registry accesses, leading to resource exhaustion and local path traversal.
Which versions of github.com/containers/image are affected by CVE-2024-3727?
CVE-2024-3727 affects versions prior to 5.29.3 and between 5.30.0 and 5.30.1 of github.com/containers/image.
Is user authentication required for exploiting CVE-2024-3727?
Yes, exploitation of CVE-2024-3727 requires authenticated user access to the affected registry.
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/softwarecombine
- agent/trending
- collector/nvd-cve
- source/NVD
- collector/ibm-support
- source/IBM
- agent/references
- agent/source
- agent/tags
- agent/last-modified-date
- collector/github-advisory
- source/GitHub
- alias/GHSA-6wvf-f2vw-3425
- alias/CVE-2024-3727
- agent/software-canonical-lookup
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- collector/github-advisory-latest
- collector/redhat-bugzilla
- source/Red Hat
- package-manager/go