Product Research Enterprise Plans Docs

PyPi: Pulp-Container

CVE-2024-23342

Transitive

Safety vulnerability ID: 66830

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jan 23, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Pulp-container version 2.19.0 eliminates the ecdsa dependency due to its vulnerability to Minerva timing attacks, as identified in CVE-2024-23342.
https://github.com/pulp/pulp_container/commit/59e06e591bd3e621401d83f417fd3fa2ecadbf0a

Affected package

pulp-container

Latest version: 2.22.0

Container plugin for the Pulp Project

Affected versions

Fixed versions

Vulnerability changelog

===================

Features
--------

- Incorporated a notion of container images' characteristics. Users can now filter manifests by their
nature using the ``is_flatpak`` or ``is_bootable`` field on the corresponding Manifest endpoint.
In addition to that, manifest's annotations and configuration labels were exposed on the same
endpoint too.
`1437 <https://github.com/pulp/pulp_container/issues/1437>`__
- Updated the OCI manifest schema validation to comply with the changes from the OCI Image Manifest
Specification.
`1494 <https://github.com/pulp/pulp_container/issues/1494>`__

Bugfixes
--------

- Fixed sync failure due to ignored certs during registry signature extentions API check.
`1552 <https://github.com/pulp/pulp_container/issues/1552>`__

Improved Documentation
----------------------

- Migrated the whole documentation to staging. The documentation should be now consumed from the
unified docs site.
`1517 <https://github.com/pulp/pulp_container/issues/1517>`__

Deprecations and Removals
-------------------------

- Removed the optional "kid" parameter stored inside the signatures' payload generated during
docker manifest v2 schema 1 conversion. This change also removes the ``ecdsa`` dependency,
which is vulnerable to Minevra timing attacks.
`1485 <https://github.com/pulp/pulp_container/issues/1485>`__
- Removed the manifest schema conversion machinery. If the manifest is stored locally in the newer
format and old clients request v2 schema1 manifest they will receive 404. v2 schema1 manifest is
still going to be mirrored from remote source during sync if available and passed to the old clients
on the request.
`1509 <https://github.com/pulp/pulp_container/issues/1509>`__
- Deprecated ``ADDITIONAL_OCI_ARTIFACT_TYPES`` setting in favour of the relaxed validation.
`1494 <https://github.com/pulp/pulp_container/issues/1494>`__

----

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23342

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.4

CVSS v3 Details

HIGH 7.4

Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): NONE