CVE-2024-3727

Name
CVE-2024-3727
Description
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vdb-entry https://access.redhat.com/security/cve/CVE-2024-3727
issue-tracking https://bugzilla.redhat.com/show_bug.cgi?id=2274767
vendor-advisory https://access.redhat.com/errata/RHSA-2024:0045
vendor-advisory https://access.redhat.com/errata/RHSA-2024:4159
secalert@redhat.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HEYS34N55G7NOQZKNEXZKQVNDGEICCD/
secalert@redhat.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP/
secalert@redhat.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/
secalert@redhat.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT/
secalert@redhat.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC/
secalert@redhat.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV/
secalert@redhat.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
secalert@redhat.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ/
secalert@redhat.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN/
vendor-advisory https://access.redhat.com/errata/RHSA-2024:4613
vendor-advisory https://access.redhat.com/errata/RHSA-2024:4850
vendor-advisory https://access.redhat.com/errata/RHSA-2024:4960
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:3718
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:5258
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:5951
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:6054
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:6708
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:6818
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:6824
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:7164
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:7174
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:7182
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:7187
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:7922
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:7941
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:8260
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:8425
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:9097
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:9098
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:9102
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:9960
secalert@redhat.com https://access.redhat.com/errata/RHSA-2024:6122

Match rules

CPE URI Source package Min version Max version
cpe:/a:redhat:openshift:4.16::el9 shopxo >= v4.16.0-202407171536.p0.g1551101.assembly.stream.el9 < *
cpe:/a:redhat:openshift_ironic:4.16::el9 shopxo >= 4:4.9.4-5.1.rhaos4.16.el8 < *
cpe:/a:redhat:openshift:4.16::el9 shopxo >= 0:1.29.5-7.rhaos4.16.git7db4ada.el8 < *
cpe:/a:redhat:openshift:4.14::el9 shopxo >= v4.14.0-202407260439.p0.g8d9b39e.assembly.stream.el8 < *
cpe:/a:redhat:openshift:4.15::el9 shopxo >= v4.15.0-202407230407.p0.gf3f8de5.assembly.stream.el9 < *
cpe:/a:redhat:openshift_ironic:4.16::el9 shopxo >= 2:1.14.4-1.rhaos4.16.el9 < *

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
skopeo edge-community 1.15.1-r0 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
skopeo 3.22-community 1.15.1-r0 None fixed
skopeo 3.21-community 1.15.1-r0 None fixed
skopeo 3.20-community 1.15.1-r0 Carlo Landmeter <clandmeter@alpinelinux.org> fixed
podman edge-community 5.0.3-r0 Michał Polański <michal@polanski.me> fixed
podman 3.22-community 5.0.3-r0 None fixed
podman 3.21-community 5.0.3-r0 None fixed
podman 3.20-community 5.0.3-r0 Michał Polański <michal@polanski.me> fixed
buildah edge-community 1.35.4-r0 Michał Polański <michal@polanski.me> fixed
buildah 3.22-community 1.35.4-r0 None fixed
buildah 3.21-community 1.35.4-r0 None fixed
buildah 3.20-community 1.35.4-r0 Michał Polański <michal@polanski.me> fixed