CVE-2023-2253
published 2023-06-06CVE-2023-2253: A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned…
medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | docker-registry | < docker-registry 2.8.2+ds1-1 (bookworm) | docker-registry 2.8.2+ds1-1 (bookworm) |
| distribution | distribution | — | — |
| github.com | distribution_distribution | >= 0 < 2.8.2-beta.1+incompatible | 2.8.2-beta.1+incompatible |
| github.com | docker_distribution | >= 0 < 2.8.2-beta.1 | 2.8.2-beta.1 |
| msrc | azl3_containerized-data-importer_1.57.0-14_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_cert-manager_1.11.2-14_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_helm_3.13.2-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| redhat | openshift_container_platform | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH