CVE-2024-10846

ADVISORY - github

Summary

Impact

The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included

Patches

compose-go v2.24.1 fixed the issue

Workarounds

There isn't any known workaround.

References

EPSS Score⁠: 0.00031 (0.087)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-20⁠

Improper Input Validation

ADVISORY - github

CWE-20⁠

Improper Input Validation

CWE-400⁠

Uncontrolled Resource Consumption

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-20⁠

Improper Input Validation

CWE-400⁠

Uncontrolled Resource Consumption

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.