mtrmac
commented
4 months ago Cc: @TomSweeneyRedHat
Closed mtrmac closed 4 months ago
mtrmac
commented
4 months ago Cc: @TomSweeneyRedHat
TomSweeneyRedHat
commented
4 months ago LGTM once the tests are hip
This fixes CVE-2024-3727 .
Digest values used throughout this library were not always validated. That allowed attackers to trigger, when pulling untrusted images, unexpected authenticated registry accesses on behalf of a victim user.
In less common uses of this library (using other transports or not using the
containers/image/v5/copy.ImageAPI), an attacker could also trigger local path traversals or crashes.