Bug 1224119 - VUL-0: CVE-2024-3727: containerized-data-importer: containers/image: digest type does not guarantee valid type
Summary: VUL-0: CVE-2024-3727: containerized-data-importer: containers/image: digest t...
Status: NEW
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Vasily Ulyanov
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/404878/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2024-3727
  Show dependency treegraph
 
Reported: 2024-05-10 11:58 UTC by Camila Camargo de Matos
Modified: 2024-07-19 16:27 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Camila Camargo de Matos 2024-05-10 11:58:18 UTC 
+++ This bug was initially created as a clone of Bug #1224112 +++

The digest values, handled by the Go library github.com/opencontainers/go-digest and used throughout the Go-implemented containers ecosystem, are not always validated. That allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, resource exhaustion, local path traversal and other attacks.

References:

https://issues.redhat.com/browse/OCPBUGS-25269

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3727
https://bugzilla.redhat.com/show_bug.cgi?id=2274767
Comment 1 Camila Camargo de Matos 2024-05-10 11:59:14 UTC 
The github.com/containers/image module is embedded in containerized-data-importer. A fix for this issue can be found here: https://github.com/containers/image/pull/2403.
Comment 10 Maintenance Automation 2024-06-11 12:30:06 UTC 
SUSE-SU-2024:1989-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1224119
CVE References: CVE-2024-3727
Maintenance Incident: [SUSE:Maintenance:34197](https://smelt.suse.de/incident/34197/)
Sources used:
openSUSE Leap 15.6 (src):
 containerized-data-importer-1.58.0-150600.3.3.2
Containers Module 15-SP6 (src):
 containerized-data-importer-1.58.0-150600.3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-06-11 12:30:08 UTC 
SUSE-SU-2024:1988-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1224119
CVE References: CVE-2024-3727
Maintenance Incident: [SUSE:Maintenance:34196](https://smelt.suse.de/incident/34196/)
Sources used:
openSUSE Leap 15.5 (src):
 containerized-data-importer-1.58.0-150500.6.15.1
SUSE Linux Enterprise Micro 5.5 (src):
 containerized-data-importer-1.58.0-150500.6.15.1
Containers Module 15-SP5 (src):
 containerized-data-importer-1.58.0-150500.6.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.