Bug 1224128 - VUL-0: CVE-2024-3727: operator-sdk: containers/image: digest type does not guarantee valid type
Summary: VUL-0: CVE-2024-3727: operator-sdk: containers/image: digest type does not gu...
Status: NEW
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Other (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Major (vote)
Target Milestone: ---
Assignee: Johannes Kastl
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/404878/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2024-3727
  Show dependency treegraph
 
Reported: 2024-05-10 12:49 UTC by Camila Camargo de Matos
Modified: 2024-05-10 13:15 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Camila Camargo de Matos 2024-05-10 12:49:04 UTC 
+++ This bug was initially created as a clone of Bug #1224112 +++

The digest values, handled by the Go library github.com/opencontainers/go-digest and used throughout the Go-implemented containers ecosystem, are not always validated. That allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, resource exhaustion, local path traversal and other attacks.

References:

https://issues.redhat.com/browse/OCPBUGS-25269

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3727
https://bugzilla.redhat.com/show_bug.cgi?id=2274767
Comment 1 Camila Camargo de Matos 2024-05-10 12:49:31 UTC 
The github.com/containers/image module is embedded in operator-sdk.

The openSUSE:Factory/operator-sdk package is possibly affected by this issue.

A fix for this issue can be found here: https://github.com/containers/image/pull/2403.