{"schema_version":"1.3.1","id":"GO-2021-0072","modified":"2024-05-20T16:03:47Z","published":"2021-04-14T20:04:52Z","aliases":["CVE-2017-11468","GHSA-h62f-wm92-2cmw"],"summary":"Uncontrolled resource allocation in github.com/docker/distribution","details":"Various storage methods do not impose limits on how much content is accepted from user requests, allowing a malicious user to force the caller to allocate an arbitrary amount of memory.","affected":[{"package":{"name":"github.com/docker/distribution","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.7.0-rc.0+incompatible"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/docker/distribution/registry/handlers","symbols":["App.ServeHTTP","NewApp","blobUploadHandler.PatchBlobData","blobUploadHandler.PutBlobUploadComplete","catalogHandler.GetCatalog","copyFullPayload","imageManifestHandler.GetImageManifest","imageManifestHandler.PutImageManifest"]},{"path":"github.com/docker/distribution/registry/storage","symbols":["PurgeUploads","Walk","blobStore.Enumerate","blobStore.Get","linkedBlobStore.Enumerate","linkedBlobStore.Get","manifestStore.Enumerate","manifestStore.Get","registry.Enumerate","registry.Repositories"]}]}}],"references":[{"type":"FIX","url":"https://github.com/distribution/distribution/pull/2340"},{"type":"FIX","url":"https://github.com/distribution/distribution/commit/91c507a39abfce14b5c8541cf284330e22208c0f"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2017:2603"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00047.html"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0072","review_status":"REVIEWED"}}