CVE-2023-2253

CVE	CVE-2023-2253
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-06-06 20:15:00 UTC
Updated	2023-06-29 16:15:00 UTC
Description	A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.

Problem Types: CWE-770

Type	Vendor	Product	Version	Update	Edition	Language
Application	Redhat	Openshift Api For Data Protection	-	All	All	All
Application	Redhat	Openshift Container Platform	4.0	All	All	All
Application	Redhat	Openshift Developer Tools And Services	-	All	All	All

Reference	Source	Link	Tags
2189886 – (CVE-2023-2253) CVE-2023-2253 distribution/distribution: DoS from malicious API request	MISC	bugzilla.redhat.com
[SECURITY] [DLA 3473-1] docker-registry security update	MLIST	lists.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

181807 Debian Security Update for docker-registry (DSA 5414-1)
183033 Debian Security Update for docker-registry (CVE-2023-2253)
6000082 Debian Security Update for docker-registry (DLA 3473-1)
907553 Common Base Linux Mariner (CBL-Mariner) Security Update for skopeo (27072-1)
907688 Common Base Linux Mariner (CBL-Mariner) Security Update for helm (27027)
907718 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-engine (27070-1)
907720 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-cli (27068-1)