CVE-2023-2253 (Medium) detected in github.com/docker/distribution-v2.7.1+incompatible #63
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-2253 - Medium Severity Vulnerability
The Docker toolset to pack, ship, store, and deliver content
Library home page: https://proxy.golang.org/github.com/docker/distribution/@v/v2.7.1+incompatible.zip
Dependency Hierarchy:
Found in HEAD commit: 2d8758c5c6af81f1b5149d3ef236b7f962895dbe
Found in base branch: main
A flaw was found in the
/v2/_catalogendpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string:n). This vulnerability allows a malicious user to submit an unreasonably large value forn,causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.Publish Date: 2023-06-06
URL: CVE-2023-2253
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-hqxw-f8mx-cpmw
Release Date: 2023-04-24
Fix Resolution: v2.8.2
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: