A flaw was found in the /v2/_catalog
endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: n
). This vulnerability allows a malicious user to submit an unreasonably large value for n,
causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
[
{
"vendor": "n/a",
"product": "distribution/distribution",
"versions": [
{
"version": "NA",
"status": "affected"
}
]
}
]