{"id":"GO-2024-2842","summary":"Unexpected authenticated registry accesses in github.com/containers/image/v5","details":"An attacker may trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.","aliases":["CVE-2024-3727","GHSA-6wvf-f2vw-3425"],"modified":"2026-02-04T03:01:49.774401Z","published":"2024-05-20T19:45:51Z","related":["CGA-7wv6-jr8h-qw7c"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2842","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-6wvf-f2vw-3425"},{"type":"FIX","url":"https://github.com/containers/image/commit/132678b47bae29c710589012668cb85859d88385"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2024-3727"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274767"},{"type":"WEB","url":"https://github.com/containers/image/releases/tag/v5.29.3"},{"type":"WEB","url":"https://github.com/containers/image/releases/tag/v5.30.1"}],"affected":[{"package":{"name":"github.com/containers/image/v5","ecosystem":"Go","purl":"pkg:golang/github.com/containers/image/v5"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.29.3"},{"introduced":"5.30.0"},{"fixed":"5.30.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["Image","copier.createProgressBar","imageCopier.copyConfig","imageCopier.copyLayer"],"path":"github.com/containers/image/v5/copy"},{"symbols":["dirImageDestination.PutBlobWithOptions","dirImageDestination.PutManifest","dirImageDestination.PutSignaturesWithFormat","dirImageDestination.TryReusingBlobWithOptions","dirImageSource.GetBlob","dirImageSource.GetManifest","dirImageSource.GetSignaturesWithFormat","dirReference.NewImage"],"path":"github.com/containers/image/v5/directory"},{"symbols":["GetRepositoryTags","Image.GetRepositoryTags","deleteImage","dockerClient.fetchManifest","dockerClient.getBlob","dockerClient.getExtensionsSignatures","dockerClient.getSigstoreAttachmentManifest","dockerImageDestination.PutBlobWithOptions","dockerImageDestination.PutManifest","dockerImageDestination.PutSignaturesWithFormat","dockerImageDestination.TryReusingBlobWithOptions","dockerImageDestination.blobExists","dockerImageDestination.putSignaturesToLookaside","dockerImageDestination.putSignaturesToSigstoreAttachments","dockerImageSource.GetBlob","dockerImageSource.GetBlobAt","dockerImageSource.GetManifest","dockerImageSource.GetSignaturesWithFormat","dockerImageSource.getSignaturesFromLookaside","dockerReference.DeleteImage","dockerReference.NewImage","dockerReference.NewImageSource","lookasideStorageURL","sigstoreAttachmentTag"],"path":"github.com/containers/image/v5/docker"},{"symbols":["Destination.PutBlobWithOptions","Destination.PutManifest","Writer.configPath","Writer.ensureManifestItemLocked","Writer.ensureSingleLegacyLayerLocked","Writer.physicalLayerPath","Writer.writeLegacyMetadataLocked"],"path":"github.com/containers/image/v5/docker/internal/tarfile"},{"symbols":["openshiftImageDestination.PutBlobWithOptions","openshiftImageDestination.PutManifest","openshiftImageDestination.TryReusingBlobWithOptions","openshiftImageSource.GetBlob","openshiftImageSource.GetManifest","openshiftImageSource.GetSignaturesWithFormat","openshiftReference.NewImage"],"path":"github.com/containers/image/v5/openshift"},{"symbols":["ostreeImageDestination.Commit","ostreeImageDestination.TryReusingBlobWithOptions","ostreeImageSource.GetBlob"],"path":"github.com/containers/image/v5/ostree"},{"symbols":["BlobCache.HasBlob","BlobCache.NewImage","BlobCache.blobPath","BlobCache.findBlob","blobCacheDestination.PutBlobWithOptions","blobCacheDestination.PutManifest","blobCacheDestination.TryReusingBlobWithOptions","blobCacheDestination.saveStream","blobCacheSource.GetBlob","blobCacheSource.GetBlobAt","blobCacheSource.GetManifest","blobCacheSource.LayerInfosForCopy"],"path":"github.com/containers/image/v5/pkg/blobcache"},{"symbols":["ResolveReference","manifestBigDataKey","signatureBigDataKey","storageImageDestination.Commit","storageImageDestination.PutBlobWithOptions","storageImageDestination.TryReusingBlobWithOptions","storageImageDestination.tryReusingBlobAsPending","storageImageSource.GetManifest","storageImageSource.GetSignaturesWithFormat","storageImageSource.LayerInfosForCopy","storageReference.DeleteImage","storageReference.NewImage","storageReference.NewImageSource","storageTransport.GetImage","storageTransport.GetStoreImage"],"path":"github.com/containers/image/v5/storage"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2842.json"}}],"schema_version":"1.7.3"}