CVE-2024-3727 - OpenCVE

A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Acm Advanced Cluster Security Ansible Automation Platform Assisted Installer Container Native Virtualization Enterprise Linux Multicluster Engine Ocp Tools Openshift Openshift Api Data Protection Openshift Devspaces Openshift Ironic Openshift Sandboxed Containers Openstack Quay Rhmt Serverless Source To Image

No data.

Package	CPE	Advisory	Released Date
Red Hat Advanced Cluster Security 4.4
advanced-cluster-security/rhacs-central-db-rhel8:4.4.5-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.4.5-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.4.5-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.4.5-4	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.4.5-3	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.4.5-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.4.5-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.4.5-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.4.5-3	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.4.5-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.4.5-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.4.5-3	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.4.5-3	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2024:6054	2024-08-29T00:00:00Z
Red Hat Advanced Cluster Security 4.5
advanced-cluster-security/rhacs-central-db-rhel8:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.2-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.2-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2024:6708	2024-09-16T00:00:00Z
Red Hat Enterprise Linux 8
container-tools:rhel8-8100020240808093819.afee755d	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:5258	2024-08-13T00:00:00Z
Red Hat OpenShift Container Platform 4.14
openshift4/ose-operator-lifecycle-manager:v4.14.0-202407260439.p0.g8d9b39e.assembly.stream.el8	cpe:/a:redhat:openshift:4.14::el8	RHSA-2024:4960	2024-08-07T00:00:00Z
Red Hat OpenShift Container Platform 4.15
openshift4/ose-operator-lifecycle-manager-rhel9:v4.15.0-202407230407.p0.gf3f8de5.assembly.stream.el9	cpe:/a:redhat:openshift:4.15::el9	RHSA-2024:4850	2024-07-31T00:00:00Z
Red Hat OpenShift Container Platform 4.16
podman-4:4.9.4-5.1.rhaos4.16.el8	cpe:/a:redhat:openshift:4.16::el8	RHSA-2024:0045	2024-06-27T00:00:00Z
skopeo-2:1.14.4-1.rhaos4.16.el9	cpe:/a:redhat:openshift:4.16::el8	RHSA-2024:0045	2024-06-27T00:00:00Z
cri-o-0:1.29.5-7.rhaos4.16.git7db4ada.el9	cpe:/a:redhat:openshift:4.16::el8	RHSA-2024:4159	2024-07-03T00:00:00Z
openshift4/ose-operator-lifecycle-manager-rhel9:v4.16.0-202407171536.p0.g1551101.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2024:4613	2024-07-24T00:00:00Z
RHEL-9-CNV-4.15
container-native-virtualization/virt-cdi-controller-rhel9:v4.15.5-7	cpe:/a:redhat:container_native_virtualization:4.15::el9	RHSA-2024:5951	2024-08-28T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:0045
https://access.redhat.com/errata/RHSA-2024:4159
https://access.redhat.com/errata/RHSA-2024:4613
https://access.redhat.com/errata/RHSA-2024:4850
https://access.redhat.com/errata/RHSA-2024:4960
https://access.redhat.com/errata/RHSA-2024:5258
https://access.redhat.com/errata/RHSA-2024:5951
https://access.redhat.com/errata/RHSA-2024:6054
https://access.redhat.com/errata/RHSA-2024:6708
https://access.redhat.com/security/cve/CVE-2024-3727
https://bugzilla.redhat.com/show_bug.cgi?id=2274767
https://nvd.nist.gov/vuln/detail/CVE-2024-3727
https://www.cve.org/CVERecord?id=CVE-2024-3727

History

Wed, 18 Sep 2024 08:30:00 +0000

Type	Values Removed	Values Added
References	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HEYS34N55G7NOQZKNEXZKQVNDGEICCD/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6B37TXOKTKDBE2V26X2NSP7JKNMZOFVP/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLND3YDQQRWVRIUPL2G5UKXP5L3VSBBT/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DTOMYERG5ND4QFDHC4ZSGCED3T3ESRSC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBZQ2ZRMFEUQ35235B2HWPSXGDCBZHFV/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QFXMF3VVKIZN7ZMB7PKZCSWV6MOMTGMQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFVSMR7TNLO2KPWJSW4CF64C2QMQXCIN/
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Sep 2024 22:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:advanced_cluster_security:4.5::el8
References		https://access.redhat.com/errata/RHSA-2024:6708

Thu, 29 Aug 2024 22:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:advanced_cluster_security:4~~	cpe:/a:redhat:advanced_cluster_security:4.4::el8
References		https://access.redhat.com/errata/RHSA-2024:6054

Thu, 29 Aug 2024 19:00:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2024:5951

Wed, 28 Aug 2024 23:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:container_native_virtualization:4.15::el9

Tue, 13 Aug 2024 23:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Tue, 13 Aug 2024 16:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8::appstream
References		https://access.redhat.com/errata/RHSA-2024:5258

Wed, 07 Aug 2024 16:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.14::el8 cpe:/a:redhat:openshift:4.14::el9
References		https://access.redhat.com/errata/RHSA-2024:4960

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-05-09T14:57:21.327Z

Updated: 2024-09-19T15:18:35.104Z

Reserved: 2024-04-12T17:56:37.261Z

Link: CVE-2024-3727

Vulnrichment

Updated: 2024-08-01T20:20:01.029Z

NVD

Status : Awaiting Analysis

Published: 2024-05-14T15:42:07.060

Modified: 2024-09-16T22:15:20.370

Link: CVE-2024-3727

Redhat

Severity : Moderate

Publid Date: 2024-05-09T00:00:00Z

Links: CVE-2024-3727 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object