CVE-2023-2253

A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:openshift_api_for_data_protection:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_developer_tools_and_services:-:*:*:*:*:*:*:*

History

29 Jun 2023, 16:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2023/06/msg00035.html -

13 Jun 2023, 19:09

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
First Time Redhat openshift Developer Tools And Services
Redhat
Redhat openshift Container Platform
Redhat openshift Api For Data Protection
CPE cpe:2.3:a:redhat:openshift_api_for_data_protection:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_developer_tools_and_services:-:*:*:*:*:*:*:*
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2189886 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2189886 - Issue Tracking, Third Party Advisory
CWE CWE-770

06 Jun 2023, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-06 20:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-2253

Mitre link : CVE-2023-2253

CVE.ORG link : CVE-2023-2253


JSON object : View

Products Affected

redhat

  • openshift_api_for_data_protection
  • openshift_developer_tools_and_services
  • openshift_container_platform
CWE
CWE-770

Allocation of Resources Without Limits or Throttling

CWE-475

Undefined Behavior for Input to API