High severityNVD Advisory· Published Jun 6, 2023· Updated Jan 7, 2025
CVE-2023-2253
CVE-2023-2253
Description
A flaw was found in the /v2/_catalog endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: n). This vulnerability allows a malicious user to submit an unreasonably large value for n, causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/docker/distributionGo | < 2.8.2-beta.1 | 2.8.2-beta.1 |
Affected products
48- osv-coords47 versionspkg:apk/chainguard/aactlpkg:apk/chainguard/argocd-image-updaterpkg:apk/chainguard/argocd-image-updater-compatpkg:apk/chainguard/argocd-image-updater-fipspkg:apk/chainguard/bompkg:apk/chainguard/flux-0pkg:apk/chainguard/flux-compatpkg:apk/chainguard/flux-helm-controller-0.37pkg:apk/chainguard/flux-image-reflector-controller-0pkg:apk/chainguard/goreleaser-1.18pkg:apk/chainguard/kptpkg:apk/chainguard/kubeadm-fips-1.27pkg:apk/chainguard/kubeadm-fips-1.27-defaultpkg:apk/chainguard/kube-apiserver-fips-1.27pkg:apk/chainguard/kube-apiserver-fips-1.27-defaultpkg:apk/chainguard/kube-controller-manager-fips-1.27pkg:apk/chainguard/kube-controller-manager-fips-1.27-defaultpkg:apk/chainguard/kubectl-bash-completion-fips-1.27pkg:apk/chainguard/kubectl-fips-1.27pkg:apk/chainguard/kubectl-fips-1.27-defaultpkg:apk/chainguard/kubelet-fips-1.27pkg:apk/chainguard/kubelet-fips-1.27-defaultpkg:apk/chainguard/kube-proxy-fips-1.27pkg:apk/chainguard/kube-proxy-fips-1.27-defaultpkg:apk/chainguard/kubernetes-dashboardpkg:apk/chainguard/kubernetes-fips-1.27pkg:apk/chainguard/kubernetes-fips-1.27-defaultpkg:apk/chainguard/kube-scheduler-fips-1.27pkg:apk/chainguard/kube-scheduler-fips-1.27-defaultpkg:apk/chainguard/prometheus-2.38pkg:apk/chainguard/prometheus-2.38-bitnami-compatpkg:apk/chainguard/prometheus-fips-2.38pkg:apk/chainguard/traefikpkg:apk/wolfi/aactlpkg:apk/wolfi/argocd-image-updaterpkg:apk/wolfi/argocd-image-updater-compatpkg:apk/wolfi/bompkg:apk/wolfi/flux-compatpkg:apk/wolfi/goreleaser-1.18pkg:apk/wolfi/kptpkg:apk/wolfi/kubernetes-dashboardpkg:apk/wolfi/traefikpkg:golang/github.com/docker/distributionpkg:rpm/opensuse/distribution&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/distribution-registry&distro=openSUSE%20Tumbleweedpkg:rpm/suse/distribution&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/docker-distribution&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012
< 0.4.12-r7+ 46 more
- (no CPE)range: < 0.4.12-r7
- (no CPE)range: < 0.17.0-r1
- (no CPE)range: < 0.17.0-r1
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 0.6.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.27.0-r7
- (no CPE)range: < 0.26.1-r3
- (no CPE)range: < 1.18.2-r12
- (no CPE)range: < 1.0.0_beta31-r5
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 2.7.0-r2
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 1.27.12-r1
- (no CPE)range: < 2.38.0-r7
- (no CPE)range: < 2.38.0-r7
- (no CPE)range: < 0
- (no CPE)range: < 2.10.1-r2
- (no CPE)range: < 0.4.12-r7
- (no CPE)range: < 0.17.0-r1
- (no CPE)range: < 0.17.0-r1
- (no CPE)range: < 0.6.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 1.18.2-r12
- (no CPE)range: < 1.0.0_beta31-r5
- (no CPE)range: < 2.7.0-r2
- (no CPE)range: < 2.10.1-r2
- (no CPE)range: < 2.8.2-beta.1
- (no CPE)range: < 2.8.1-150400.9.18.1
- (no CPE)range: < 2.8.2-1.1
- (no CPE)range: < 2.8.1-150400.9.18.1
- (no CPE)range: < 2.6.2-13.9.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-hqxw-f8mx-cpmwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-2253ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dcghsaWEB
- github.com/distribution/distribution/security/advisories/GHSA-hqxw-f8mx-cpmwghsaWEB
- lists.debian.org/debian-lts-announce/2023/06/msg00035.htmlghsamailing-listWEB
News mentions
0No linked articles in our index yet.