Registry is Vulnerable to CVE-2023-2253
Context
https://seclists.org/oss-sec/2023/q2/134
/v2/_catalog endpoint accepts a parameter to control the maximum amount of records returned (query string: n).
When not given the default n=100 is used. The server trusts that n has an acceptable value, however when using a maliciously large value, it allocates an array/slice of n of strings before filling the slice with data.
Discussion
We don't expose this endpoint on .com, and if we did, it would be backed by a different implementation. However, this may not be true for self-managed, as many self-managed users make use of this endpoint.
Solution
There's a patch linked above, and upstream (https://github.com/distribution/distribution) should have a PR out soon that we should be able to cherry-pick with some modification.