CVE-2024-37298: 
Podman vulnerability analysis and mitigation

CVE-2024-37298 affects the gorilla/schema package, which converts structs to and from form values. Prior to version 1.4.1, the vulnerability was discovered in the schema.Decoder.Decode() functionality when handling structs with fields of type []struct{...}. The vulnerability was disclosed on June 29, 2024, and affects all versions prior to 1.4.1 (GitHub Advisory).

The vulnerability exists in the schema.Decoder.Decode() function when processing structs containing array fields of other structs. The issue stems from the sparse slice functionality, where an attacker can specify a large index value, causing the system to allocate memory for all preceding elements. For example, a request like '/innocent_endpoint?arr.10000000.X=1' could trigger excessive memory allocation during form parsing. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can lead to memory exhaustion attacks when processing specially crafted requests. Any application using schema.Decoder.Decode() on structs with arrays of other structs is potentially vulnerable. The impact is particularly severe as there was no workaround available for developers using the library without fixing the core issue (GitHub Advisory).

The vulnerability has been patched in version 1.4.1 of the gorilla/schema package. The fix implements a maxSize limit on slice creation to prevent excessive memory allocation. Users should upgrade to version 1.4.1 or later to address this vulnerability (GitHub Advisory).