Login Sign Up

CVE-2024-3727

8.3 HIGH
Authentication Bypass Path Traversal

📋 TL;DR

This vulnerability in the containers/image library allows attackers to trigger authenticated registry accesses on behalf of victims, potentially leading to resource exhaustion, local path traversal, and other attacks. It affects systems using this library for container image operations. Users of container runtimes and orchestration platforms that depend on this library are at risk.

💻 Affected Systems

Products:
  • github.com/containers/image library
  • Podman
  • Buildah
  • Skopeo
  • Container runtimes using containers/image
Versions: Versions before 5.29.0
Operating Systems: Linux, Any OS using affected container tools
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any system using the containers/image library to interact with container registries, particularly with authenticated access.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through path traversal, denial of service via resource exhaustion, and unauthorized access to container registries.

🟠

Likely Case

Resource exhaustion attacks causing service disruption and potential information disclosure through unauthorized registry accesses.

🟢

If Mitigated

Limited impact with proper network segmentation, registry authentication controls, and resource limits in place.

🌐 Internet-Facing: HIGH - Systems pulling container images from external registries are directly exposed to exploitation.
🏢 Internal Only: MEDIUM - Internal systems using container registries could be affected if attackers gain internal access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to trigger container image operations on target systems, typically through authenticated access or malicious container images.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.29.0 and later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:0045

Restart Required: Yes

Instructions:

1. Update containers/image library to version 5.29.0 or later. 2. Update dependent tools (Podman, Buildah, Skopeo) to patched versions. 3. Restart container services and daemons. 4. Verify updates with version checks.

🔧 Temporary Workarounds

Registry Access Restrictions

linux

Limit container registry access to trusted sources only and implement network controls.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_REGISTRY_IP" port protocol="tcp" port="443" accept'
firewall-cmd --reload

Resource Limits

linux

Implement resource limits on container runtimes to mitigate exhaustion attacks.

systemctl set-property podman.service MemoryLimit=2G
systemctl set-property podman.service CPUQuota=80%

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate container registry traffic
  • Use read-only or minimal privilege service accounts for registry access

🔍 How to Verify

Check if Vulnerable:

Check containers/image library version: go version -m $(which podman) | grep containers/image

Check Version:

podman version | grep Version

Verify Fix Applied:

Verify containers/image version is 5.29.0 or later: go version -m $(which podman) | grep containers/image

📡 Detection & Monitoring

Log Indicators:

  • Unexpected registry authentication attempts
  • Abnormal container pull patterns
  • Resource exhaustion alerts from container runtime

Network Indicators:

  • Unusual outbound connections to container registries
  • High volume of image layer downloads

SIEM Query:

source="container_runtime" AND (event="pull" OR event="auth") AND registry!="trusted-registry.example.com"

📊 Metadata

CVE ID: CVE-2024-3727
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-354
Published: May 14, 2024
Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3727, you might also want to check these:

CVE-2025-11543 9.8

This vulnerability allows attackers to bypass integrity checks and install unauthorized firmware on ...

Same vulnerability type (CWE-354)
CVE-2024-25678 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) Library involves mishandled DCID (Destination Connecti...

Same vulnerability type (CWE-354)
CVE-2025-54887 9.1

This vulnerability in the Ruby JWE library allows attackers to brute-force authentication tags in en...

Same vulnerability type (CWE-354)