{"id":"GO-2021-0072","summary":"Uncontrolled resource allocation in github.com/docker/distribution","details":"Various storage methods do not impose limits on how much content is accepted from user requests, allowing a malicious user to force the caller to allocate an arbitrary amount of memory.","aliases":["CVE-2017-11468","GHSA-h62f-wm92-2cmw"],"modified":"2026-03-17T04:08:29.231936Z","published":"2021-04-14T20:04:52Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2021-0072"},"references":[{"type":"FIX","url":"https://github.com/distribution/distribution/pull/2340"},{"type":"FIX","url":"https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2017:2603"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html"}],"affected":[{"package":{"name":"github.com/docker/distribution","ecosystem":"Go","purl":"pkg:golang/github.com/docker/distribution"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.7.0-rc.0+incompatible"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/docker/distribution/registry/handlers","symbols":["App.ServeHTTP","NewApp","blobUploadHandler.PatchBlobData","blobUploadHandler.PutBlobUploadComplete","catalogHandler.GetCatalog","copyFullPayload","imageManifestHandler.GetImageManifest","imageManifestHandler.PutImageManifest"]},{"path":"github.com/docker/distribution/registry/storage","symbols":["PurgeUploads","Walk","blobStore.Enumerate","blobStore.Get","linkedBlobStore.Enumerate","linkedBlobStore.Get","manifestStore.Enumerate","manifestStore.Get","registry.Enumerate","registry.Repositories"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0072.json"}}],"schema_version":"1.7.5"}