Containers/image: digest type does not guarantee valid type
Summary
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. Affected products named by the advisory: OADP-1.3-RHEL-9; Red Hat Advanced Cluster Security 4.4; Red Hat Advanced Cluster Security 4.5; Red Hat Enterprise Linux 8; and 19 more. Affected products named by the advisory: Red Hat Enterprise Linux 9; Red Hat Migration Toolkit for Containers 1.8; Red Hat OpenShift Container Platform 4.13; Red Hat OpenShift Container Platform 4.14; and 14 more.
What this means
In plain English
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. Affected products named by the advisory: OADP-1.3-RHEL-9; Red Hat Advanced Cluster Security 4.4; Red Hat Advanced Cluster Security 4.5; Red Hat Enterprise Linux 8; and 19 more. Affected products named by the advisory: Red Hat Enterprise Linux 9; Red Hat Migration Toolkit for Containers 1.8; Red Hat OpenShift Container Platform 4.13; Red Hat OpenShift Container Platform 4.14; and 14 more. Path traversal can escape an intended file location and expose files or directories available to the affected process.
Recommended action
Primary action: update to a vendor-listed fixed release: 5.29.3, 5.30.1.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- before 5.29.3
- 5.30.0 before 5.30.1
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 5.29.3
- 5.30.1
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation
Upgrade to a fixed release: 5.29.3, 5.30.1. That is the remediation for this advisory.
The vendor advisory may list additional interim mitigations or workarounds not captured here — review it before change work.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.