{"id":"GO-2024-2842","summary":"Unexpected authenticated registry accesses in github.com/containers/image/v5","details":"An attacker may trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.","aliases":["CVE-2024-3727","GHSA-6wvf-f2vw-3425"],"modified":"2026-03-17T04:49:11.862490Z","published":"2024-05-20T19:45:51Z","related":["CGA-7wv6-jr8h-qw7c"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2842"},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-6wvf-f2vw-3425"},{"type":"FIX","url":"https://github.com/containers/image/commit/132678b47bae29c710589012668cb85859d88385"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2024-3727"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274767"},{"type":"WEB","url":"https://github.com/containers/image/releases/tag/v5.29.3"},{"type":"WEB","url":"https://github.com/containers/image/releases/tag/v5.30.1"}],"affected":[{"package":{"name":"github.com/containers/image/v5","ecosystem":"Go","purl":"pkg:golang/github.com/containers/image/v5"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.29.3"},{"introduced":"5.30.0"},{"fixed":"5.30.1"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/containers/image/v5/copy","symbols":["Image","copier.createProgressBar","imageCopier.copyConfig","imageCopier.copyLayer"]},{"path":"github.com/containers/image/v5/directory","symbols":["dirImageDestination.PutBlobWithOptions","dirImageDestination.PutManifest","dirImageDestination.PutSignaturesWithFormat","dirImageDestination.TryReusingBlobWithOptions","dirImageSource.GetBlob","dirImageSource.GetManifest","dirImageSource.GetSignaturesWithFormat","dirReference.NewImage"]},{"path":"github.com/containers/image/v5/docker","symbols":["GetRepositoryTags","Image.GetRepositoryTags","deleteImage","dockerClient.fetchManifest","dockerClient.getBlob","dockerClient.getExtensionsSignatures","dockerClient.getSigstoreAttachmentManifest","dockerImageDestination.PutBlobWithOptions","dockerImageDestination.PutManifest","dockerImageDestination.PutSignaturesWithFormat","dockerImageDestination.TryReusingBlobWithOptions","dockerImageDestination.blobExists","dockerImageDestination.putSignaturesToLookaside","dockerImageDestination.putSignaturesToSigstoreAttachments","dockerImageSource.GetBlob","dockerImageSource.GetBlobAt","dockerImageSource.GetManifest","dockerImageSource.GetSignaturesWithFormat","dockerImageSource.getSignaturesFromLookaside","dockerReference.DeleteImage","dockerReference.NewImage","dockerReference.NewImageSource","lookasideStorageURL","sigstoreAttachmentTag"]},{"path":"github.com/containers/image/v5/docker/internal/tarfile","symbols":["Destination.PutBlobWithOptions","Destination.PutManifest","Writer.configPath","Writer.ensureManifestItemLocked","Writer.ensureSingleLegacyLayerLocked","Writer.physicalLayerPath","Writer.writeLegacyMetadataLocked"]},{"path":"github.com/containers/image/v5/openshift","symbols":["openshiftImageDestination.PutBlobWithOptions","openshiftImageDestination.PutManifest","openshiftImageDestination.TryReusingBlobWithOptions","openshiftImageSource.GetBlob","openshiftImageSource.GetManifest","openshiftImageSource.GetSignaturesWithFormat","openshiftReference.NewImage"]},{"path":"github.com/containers/image/v5/ostree","symbols":["ostreeImageDestination.Commit","ostreeImageDestination.TryReusingBlobWithOptions","ostreeImageSource.GetBlob"]},{"path":"github.com/containers/image/v5/pkg/blobcache","symbols":["BlobCache.HasBlob","BlobCache.NewImage","BlobCache.blobPath","BlobCache.findBlob","blobCacheDestination.PutBlobWithOptions","blobCacheDestination.PutManifest","blobCacheDestination.TryReusingBlobWithOptions","blobCacheDestination.saveStream","blobCacheSource.GetBlob","blobCacheSource.GetBlobAt","blobCacheSource.GetManifest","blobCacheSource.LayerInfosForCopy"]},{"path":"github.com/containers/image/v5/storage","symbols":["ResolveReference","manifestBigDataKey","signatureBigDataKey","storageImageDestination.Commit","storageImageDestination.PutBlobWithOptions","storageImageDestination.TryReusingBlobWithOptions","storageImageDestination.tryReusingBlobAsPending","storageImageSource.GetManifest","storageImageSource.GetSignaturesWithFormat","storageImageSource.LayerInfosForCopy","storageReference.DeleteImage","storageReference.NewImage","storageReference.NewImageSource","storageTransport.GetImage","storageTransport.GetStoreImage"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2842.json"}}],"schema_version":"1.7.5"}