CVE-2024-3727

Containers/image: digest type does not guarantee valid type

Severity Score

8.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

Se encontró una falla en la librería github.com/containers/image. Esta falla permite a los atacantes activar accesos inesperados al registro autenticado en nombre de un usuario víctima, lo que provoca agotamiento de recursos, path traversal local y otros ataques.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-12 CVE Reserved
2024-05-09 CVE Published
2024-09-26 EPSS Updated
2025-01-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-354: Improper Validation of Integrity Check Value

CAPEC

References (34)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HEYS34N55G7NOQZKNEXZKQVNDGEICCD
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2024:0045	2024-07-24
https://access.redhat.com/errata/RHSA-2024:4159	2024-07-24
https://access.redhat.com/errata/RHSA-2024:4613	2024-07-24
https://access.redhat.com/security/cve/CVE-2024-3727	2024-07-24
https://bugzilla.redhat.com/show_bug.cgi?id=2274767	2024-07-24
https://access.redhat.com/errata/RHSA-2024:3718	2025-01-06
https://access.redhat.com/errata/RHSA-2024:4850	2025-01-06
https://access.redhat.com/errata/RHSA-2024:4960	2025-01-06
https://access.redhat.com/errata/RHSA-2024:5258	2025-01-06
https://access.redhat.com/errata/RHSA-2024:5951	2025-01-06
https://access.redhat.com/errata/RHSA-2024:6054	2025-01-06
https://access.redhat.com/errata/RHSA-2024:6708	2025-01-06
https://access.redhat.com/errata/RHSA-2024:6824	2025-01-06
https://access.redhat.com/errata/RHSA-2024:7164	2025-01-06
https://access.redhat.com/errata/RHSA-2024:7174	2025-01-06
https://access.redhat.com/errata/RHSA-2024:7182	2025-01-06
https://access.redhat.com/errata/RHSA-2024:7187	2025-01-06
https://access.redhat.com/errata/RHSA-2024:7922	2025-01-06
https://access.redhat.com/errata/RHSA-2024:7941	2025-01-06
https://access.redhat.com/errata/RHSA-2024:8260	2025-01-06
https://access.redhat.com/errata/RHSA-2024:8425	2025-01-06
https://access.redhat.com/errata/RHSA-2024:9097	2025-01-06
https://access.redhat.com/errata/RHSA-2024:9098	2025-01-06
https://access.redhat.com/errata/RHSA-2024:9102	2025-01-06
https://access.redhat.com/errata/RHSA-2024:9960	2025-01-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Exadata Dbserver Search vendor "Oracle" for product "Exadata Dbserver"				*		-		Affected
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				*		-		Affected
Red Hat Search vendor "Red Hat"		Enterprise Linux Search vendor "Red Hat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Acm Search vendor "Redhat" for product "Acm"				*		-		Affected
Redhat Search vendor "Redhat"		Advanced Cluster Management For Kubernetes Search vendor "Redhat" for product "Advanced Cluster Management For Kubernetes"				*		-		Affected
Redhat Search vendor "Redhat"		Advanced Cluster Security Search vendor "Redhat" for product "Advanced Cluster Security"				*		-		Affected
Redhat Search vendor "Redhat"		Ansible Automation Platform Search vendor "Redhat" for product "Ansible Automation Platform"				*		-		Affected
Redhat Search vendor "Redhat"		Assisted Installer Search vendor "Redhat" for product "Assisted Installer"				*		-		Affected
Redhat Search vendor "Redhat"		Container Native Virtualization Search vendor "Redhat" for product "Container Native Virtualization"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Migration Toolkit Search vendor "Redhat" for product "Migration Toolkit"				*		-		Affected
Redhat Search vendor "Redhat"		Multicluster Engine Search vendor "Redhat" for product "Multicluster Engine"				*		-		Affected
Redhat Search vendor "Redhat"		Ocp Tools Search vendor "Redhat" for product "Ocp Tools"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Api Data Protection Search vendor "Redhat" for product "Openshift Api Data Protection"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Devspaces Search vendor "Redhat" for product "Openshift Devspaces"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Ironic Search vendor "Redhat" for product "Openshift Ironic"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Sandboxed Containers Search vendor "Redhat" for product "Openshift Sandboxed Containers"				*		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				*		-		Affected
Redhat Search vendor "Redhat"		Quay Search vendor "Redhat" for product "Quay"				*		-		Affected
Redhat Search vendor "Redhat"		Rhmt Search vendor "Redhat" for product "Rhmt"				*		-		Affected
Redhat Search vendor "Redhat"		Serverless Search vendor "Redhat" for product "Serverless"				*		-		Affected
Redhat Search vendor "Redhat"		Source To Image Search vendor "Redhat" for product "Source To Image"				*		-		Affected
Alma Search vendor "Alma"		Linux Search vendor "Alma" for product "Linux"				*		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				*		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				*		-		Affected
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				*		-		Affected
Redhat Search vendor "Redhat"		Rhel Eus Search vendor "Redhat" for product "Rhel Eus"				*		-		Affected
Rocky Search vendor "Rocky"		Linux Search vendor "Rocky" for product "Linux"				*		-		Affected
Suse Search vendor "Suse"		Sle-module-basesystem Search vendor "Suse" for product "Sle-module-basesystem"				*		-		Affected
Suse Search vendor "Suse"		Sle-module-containers Search vendor "Suse" for product "Sle-module-containers"				*		-		Affected
Suse Search vendor "Suse"		Sle-module-hpc Search vendor "Suse" for product "Sle-module-hpc"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc-espos Search vendor "Suse" for product "Sle Hpc-espos"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc-ltss Search vendor "Suse" for product "Sle Hpc-ltss"				*		-		Affected
Suse Search vendor "Suse"		Sle Hpc Search vendor "Suse" for product "Sle Hpc"				*		-		Affected
Suse Search vendor "Suse"		Sled Search vendor "Suse" for product "Sled"				*		-		Affected
Suse Search vendor "Suse"		Sles-ltss Search vendor "Suse" for product "Sles-ltss"				*		-		Affected
Suse Search vendor "Suse"		Sles Search vendor "Suse" for product "Sles"				*		-		Affected
Suse Search vendor "Suse"		Sles Sap Search vendor "Suse" for product "Sles Sap"				*		-		Affected
Suse Search vendor "Suse"		Suse-manager-proxy Search vendor "Suse" for product "Suse-manager-proxy"				*		-		Affected
Suse Search vendor "Suse"		Suse-manager-server Search vendor "Suse" for product "Suse-manager-server"				*		-		Affected