A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| github.com/docker/distribution(Go) | 0 | 2.8.2-beta.1 | N/A |
CVSS Metrics
