Vulnerabilites related to notaryproject - notation-go
CVE-2023-25656 (GCVE-0-2023-25656)
Vulnerability from cvelistv5
Published
2023-02-20 00:00
Modified
2024-11-27 16:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| notaryproject | notation-go |
Version: 1.0.0-rc.3 < 1.0.0-rc.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-m28v"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T18:45:46.036047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T16:45:09.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "notation-go",
"vendor": "notaryproject",
"versions": [
{
"lessThan": "1.0.0-rc.3",
"status": "affected",
"version": "1.0.0-rc.3",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T00:00:00",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3"
},
{
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-m28v"
}
],
"source": {
"advisory": "GHSA-87x9-7grx-m28v",
"defect": [
"GHSA-87x9-7grx-m28v"
],
"discovery": "UNKNOWN"
},
"title": "notation-go has excessive memory allocation on verification",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25656",
"datePublished": "2023-02-20T00:00:00",
"dateReserved": "2023-02-09T00:00:00",
"dateUpdated": "2024-11-27T16:45:09.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33959 (GCVE-0-2023-33959)
Vulnerability from cvelistv5
Published
2023-06-06 18:15
Modified
2024-08-02 15:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Summary
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| notaryproject | notation-go |
Version: < 1.0.0-rc.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "notation-go",
"vendor": "notaryproject",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.0-rc.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-06T18:15:14.317Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r"
}
],
"source": {
"advisory": "GHSA-xhg5-42rf-296r",
"discovery": "UNKNOWN"
},
"title": "Verification bypass can cause users into verifying the wrong artifact"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33959",
"datePublished": "2023-06-06T18:15:14.317Z",
"dateReserved": "2023-05-24T13:46:35.952Z",
"dateUpdated": "2024-08-02T15:54:14.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33958 (GCVE-0-2023-33958)
Vulnerability from cvelistv5
Published
2023-06-06 18:13
Modified
2024-08-02 15:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| notaryproject | notation |
Version: < 1.0.0-rc.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6"
},
{
"name": "https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "notation",
"vendor": "notaryproject",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.0-rc.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-06T18:13:16.926Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6"
},
{
"name": "https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6"
}
],
"source": {
"advisory": "GHSA-rvrx-rrwh-r9p6",
"discovery": "UNKNOWN"
},
"title": "Default `maxSignatureAttempts` in `notation verify` enables an endless data attack in notation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33958",
"datePublished": "2023-06-06T18:13:16.926Z",
"dateReserved": "2023-05-24T13:46:35.952Z",
"dateUpdated": "2024-08-02T15:54:14.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51491 (GCVE-0-2024-51491)
Vulnerability from cvelistv5
Published
2025-01-13 21:42
Modified
2025-01-14 00:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Summary
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab's security audit on the Certificate Revocation List (CRL) based revocation check feature.
After retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination. In method `crl.(*FileCache).Set`, a temporary file is created in the OS dedicated area (like /tmp for, usually, Linux/Unix). The file is written and then it is tried to move it to the dedicated `notation` cache directory thanks `os.Rename`. As specified in Go documentation, OS specific restriction may apply. When used with Linux OS, it is relying on rename syscall from the libc and as per the documentation, moving a file to a different mountpoint raises an EXDEV error, interpreted as Cross device link not permitted error. Some Linux distribution, like RedHat use a dedicated filesystem (tmpfs), mounted on a specific mountpoint (usually /tmp) for temporary files. When using such OS, revocation check based on CRL will repeatedly crash notation. As a result the signature verification process is aborted as process crashes. This issue has been addressed in version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| notaryproject | notation-go |
Version: = 1.3.0-rc.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51491",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T00:18:53.695137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:19:12.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-qjh3-4j3h-vmwp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "notation-go",
"vendor": "notaryproject",
"versions": [
{
"status": "affected",
"version": "= 1.3.0-rc.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab\u0027s security audit on the Certificate Revocation List (CRL) based revocation check feature.\nAfter retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination. In method `crl.(*FileCache).Set`, a temporary file is created in the OS dedicated area (like /tmp for, usually, Linux/Unix). The file is written and then it is tried to move it to the dedicated `notation` cache directory thanks `os.Rename`. As specified in Go documentation, OS specific restriction may apply. When used with Linux OS, it is relying on rename syscall from the libc and as per the documentation, moving a file to a different mountpoint raises an EXDEV error, interpreted as Cross device link not permitted error. Some Linux distribution, like RedHat use a dedicated filesystem (tmpfs), mounted on a specific mountpoint (usually /tmp) for temporary files. When using such OS, revocation check based on CRL will repeatedly crash notation. As a result the signature verification process is aborted as process crashes. This issue has been addressed in version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T21:42:11.493Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-qjh3-4j3h-vmwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-qjh3-4j3h-vmwp"
},
{
"name": "https://github.com/notaryproject/notation-go/commit/3c3302258ad510fbca2f8a73731569d91f07d196",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/notaryproject/notation-go/commit/3c3302258ad510fbca2f8a73731569d91f07d196"
},
{
"name": "https://man7.org/linux/man-pages/man2/rename.2.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://man7.org/linux/man-pages/man2/rename.2.html"
}
],
"source": {
"advisory": "GHSA-qjh3-4j3h-vmwp",
"discovery": "UNKNOWN"
},
"title": "Process crash during CRL-based revocation check on OS using separate mount point for temp Directory in notation-go"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51491",
"datePublished": "2025-01-13T21:42:11.493Z",
"dateReserved": "2024-10-28T14:20:59.337Z",
"dateUpdated": "2025-01-14T00:19:12.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56138 (GCVE-0-2024-56138)
Vulnerability from cvelistv5
Published
2025-01-13 21:37
Modified
2025-01-14 00:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-299 - Improper Check for Certificate Revocation
Summary
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations. This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| notaryproject | notation-go |
Version: < 1.3.0-rc.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T00:25:46.882500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T00:26:00.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "notation-go",
"vendor": "notaryproject",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.0-rc.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab\u0027s audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations. This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-299",
"description": "CWE-299: Improper Check for Certificate Revocation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T21:37:59.729Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v"
},
{
"name": "https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102"
}
],
"source": {
"advisory": "GHSA-45v3-38pc-874v",
"discovery": "UNKNOWN"
},
"title": "Timestamp signature generation lacks certificate revocation check in notion-go"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56138",
"datePublished": "2025-01-13T21:37:59.729Z",
"dateReserved": "2024-12-16T17:30:30.068Z",
"dateUpdated": "2025-01-14T00:26:00.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23332 (GCVE-0-2024-23332)
Vulnerability from cvelistv5
Published
2024-01-19 22:19
Modified
2025-05-30 14:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-672 - Operation on a Resource after Expiration or Release
Summary
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies (such as `permissive` instead of `strict`) to potentially use artifacts with signatures that are no longer valid, making them susceptible to any exploits those artifacts may contain. In Notary Project, an artifact publisher can control the validity period of artifact by specifying signature expiry during the signing process. Using shorter signature validity periods along with processes to periodically resign artifacts, allows artifact producers to ensure that their consumers will only receive up-to-date artifacts. Artifact consumers should correspondingly use a `strict` or equivalent trust policy that enforces signature expiry. Together these steps enable use of up-to-date artifacts and safeguard against rollback attack in the event of registry compromise. The Notary Project offers various signature validation options such as `permissive`, `audit` and `skip` to support various scenarios. These scenarios includes 1) situations demanding urgent workload deployment, necessitating the bypassing of expired or revoked signatures; 2) auditing of artifacts lacking signatures without interrupting workload; and 3) skipping of verification for specific images that might have undergone validation through alternative mechanisms. Additionally, the Notary Project supports revocation to ensure the signature freshness. Artifact publishers can sign with short-lived certificates and revoke older certificates when necessary. This revocation serves as a signal to inform artifact consumers that the corresponding unexpired artifact is no longer approved by the publisher. This enables the artifact publisher to control the validity of the signature independently of their ability to manage artifacts in a compromised registry.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| notaryproject | specifications |
Version: <= 1.0.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.308Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8"
},
{
"name": "https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23332",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:53:20.225020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T14:24:46.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "specifications",
"vendor": "notaryproject",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies (such as `permissive` instead of `strict`) to potentially use artifacts with signatures that are no longer valid, making them susceptible to any exploits those artifacts may contain. In Notary Project, an artifact publisher can control the validity period of artifact by specifying signature expiry during the signing process. Using shorter signature validity periods along with processes to periodically resign artifacts, allows artifact producers to ensure that their consumers will only receive up-to-date artifacts. Artifact consumers should correspondingly use a `strict` or equivalent trust policy that enforces signature expiry. Together these steps enable use of up-to-date artifacts and safeguard against rollback attack in the event of registry compromise. The Notary Project offers various signature validation options such as `permissive`, `audit` and `skip` to support various scenarios. These scenarios includes 1) situations demanding urgent workload deployment, necessitating the bypassing of expired or revoked signatures; 2) auditing of artifacts lacking signatures without interrupting workload; and 3) skipping of verification for specific images that might have undergone validation through alternative mechanisms. Additionally, the Notary Project supports revocation to ensure the signature freshness. Artifact publishers can sign with short-lived certificates and revoke older certificates when necessary. This revocation serves as a signal to inform artifact consumers that the corresponding unexpired artifact is no longer approved by the publisher. This enables the artifact publisher to control the validity of the signature independently of their ability to manage artifacts in a compromised registry."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-672",
"description": "CWE-672: Operation on a Resource after Expiration or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-19T22:19:37.013Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8"
},
{
"name": "https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a"
}
],
"source": {
"advisory": "GHSA-57wx-m636-g3g8",
"discovery": "UNKNOWN"
},
"title": "Client configured with permissive trust policies susceptible to rollback attack in Notary Project"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23332",
"datePublished": "2024-01-19T22:19:37.013Z",
"dateReserved": "2024-01-15T15:19:19.442Z",
"dateUpdated": "2025-05-30T14:24:46.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33957 (GCVE-0-2023-33957)
Vulnerability from cvelistv5
Published
2023-06-06 18:10
Modified
2024-08-02 15:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| notaryproject | notation |
Version: < 1.0.0-rc.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:54:14.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7"
},
{
"name": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "notation",
"vendor": "notaryproject",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.0-rc.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-06T18:10:30.416Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7"
},
{
"name": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24"
}
],
"source": {
"advisory": "GHSA-9m3v-v4r5-ppx7",
"discovery": "UNKNOWN"
},
"title": "Denial of service from high number of artifact signatures in notation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33957",
"datePublished": "2023-06-06T18:10:30.416Z",
"dateReserved": "2023-05-24T13:46:35.952Z",
"dateUpdated": "2024-08-02T15:54:14.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-02-20 16:15
Modified
2024-11-21 07:49
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| notaryproject | notation-go | 0.7.0 | |
| notaryproject | notation-go | 0.8.0 | |
| notaryproject | notation-go | 0.9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:0.7.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "4FE9F3CB-8113-43F6-B85E-901E0F742EBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:0.8.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "26950002-B9F0-42DE-95D9-AC4A4AA16693",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:0.9.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "17AF7E20-1C25-4660-9F8F-D99AB3AE4B7F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`."
}
],
"id": "CVE-2023-25656",
"lastModified": "2024-11-21T07:49:52.963",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-20T16:15:10.747",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-m28v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-m28v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-06 19:15
Modified
2024-11-21 08:06
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| notaryproject | notation-go | * | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E048A2E7-0021-480A-AD91-F07F8BFDE9CE",
"versionEndExcluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A6851C33-6C20-4B20-B26F-E258C681265E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "99878E6C-4778-4ECE-9E29-D2A1AFB9DB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "0B583E52-5510-42E2-AD05-F574ACCB13E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "C23C91C1-C4D1-47AC-B167-CCFF71A00C5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "EB72FE70-F2E3-4540-A6BE-2EE0DB662365",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."
}
],
"id": "CVE-2023-33959",
"lastModified": "2024-11-21T08:06:17.723",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-06T19:15:12.637",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-06 19:15
Modified
2024-11-21 08:06
Severity ?
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:L
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Summary
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| notaryproject | notation-go | * | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E048A2E7-0021-480A-AD91-F07F8BFDE9CE",
"versionEndExcluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A6851C33-6C20-4B20-B26F-E258C681265E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "99878E6C-4778-4ECE-9E29-D2A1AFB9DB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "0B583E52-5510-42E2-AD05-F574ACCB13E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "C23C91C1-C4D1-47AC-B167-CCFF71A00C5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "EB72FE70-F2E3-4540-A6BE-2EE0DB662365",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."
}
],
"id": "CVE-2023-33957",
"lastModified": "2024-11-21T08:06:17.440",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-06T19:15:12.363",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-19 23:15
Modified
2024-11-21 08:57
Severity ?
4.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Summary
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies (such as `permissive` instead of `strict`) to potentially use artifacts with signatures that are no longer valid, making them susceptible to any exploits those artifacts may contain. In Notary Project, an artifact publisher can control the validity period of artifact by specifying signature expiry during the signing process. Using shorter signature validity periods along with processes to periodically resign artifacts, allows artifact producers to ensure that their consumers will only receive up-to-date artifacts. Artifact consumers should correspondingly use a `strict` or equivalent trust policy that enforces signature expiry. Together these steps enable use of up-to-date artifacts and safeguard against rollback attack in the event of registry compromise. The Notary Project offers various signature validation options such as `permissive`, `audit` and `skip` to support various scenarios. These scenarios includes 1) situations demanding urgent workload deployment, necessitating the bypassing of expired or revoked signatures; 2) auditing of artifacts lacking signatures without interrupting workload; and 3) skipping of verification for specific images that might have undergone validation through alternative mechanisms. Additionally, the Notary Project supports revocation to ensure the signature freshness. Artifact publishers can sign with short-lived certificates and revoke older certificates when necessary. This revocation serves as a signal to inform artifact consumers that the corresponding unexpired artifact is no longer approved by the publisher. This enables the artifact publisher to control the validity of the signature independently of their ability to manage artifacts in a compromised registry.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| notaryproject | notation-go | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F6147D6-33B0-41A8-B928-2E7FE75BBF0A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies (such as `permissive` instead of `strict`) to potentially use artifacts with signatures that are no longer valid, making them susceptible to any exploits those artifacts may contain. In Notary Project, an artifact publisher can control the validity period of artifact by specifying signature expiry during the signing process. Using shorter signature validity periods along with processes to periodically resign artifacts, allows artifact producers to ensure that their consumers will only receive up-to-date artifacts. Artifact consumers should correspondingly use a `strict` or equivalent trust policy that enforces signature expiry. Together these steps enable use of up-to-date artifacts and safeguard against rollback attack in the event of registry compromise. The Notary Project offers various signature validation options such as `permissive`, `audit` and `skip` to support various scenarios. These scenarios includes 1) situations demanding urgent workload deployment, necessitating the bypassing of expired or revoked signatures; 2) auditing of artifacts lacking signatures without interrupting workload; and 3) skipping of verification for specific images that might have undergone validation through alternative mechanisms. Additionally, the Notary Project supports revocation to ensure the signature freshness. Artifact publishers can sign with short-lived certificates and revoke older certificates when necessary. This revocation serves as a signal to inform artifact consumers that the corresponding unexpired artifact is no longer approved by the publisher. This enables the artifact publisher to control the validity of the signature independently of their ability to manage artifacts in a compromised registry."
},
{
"lang": "es",
"value": "Notary Project es un conjunto de especificaciones y herramientas destinadas a proporcionar un est\u00e1ndar intersectorial para proteger las cadenas de suministro de software mediante el uso de im\u00e1genes de contenedores aut\u00e9nticas y otros artefactos OCI. Un actor externo con control de un registro de contenedor comprometido puede proporcionar versiones obsoletas de artefactos OCI, como im\u00e1genes. Esto podr\u00eda llevar a los consumidores de artefactos con pol\u00edticas de confianza relajadas (como \"permisivas\" en lugar de \"estrictas\") a utilizar potencialmente artefactos con firmas que ya no son v\u00e1lidas, haci\u00e9ndolos susceptibles a cualquier vulnerabilidad que esos artefactos puedan contener. En Notary Project, un editor de artefactos puede controlar el per\u00edodo de validez del artefacto especificando la caducidad de la firma durante el proceso de firma. El uso de per\u00edodos de validez de firma m\u00e1s cortos junto con procesos para renunciar peri\u00f3dicamente a los artefactos permite a los productores de artefactos garantizar que sus consumidores solo recibir\u00e1n artefactos actualizados. En consecuencia, los consumidores de artefactos deber\u00edan utilizar una pol\u00edtica de confianza \"estricta\" o equivalente que imponga la caducidad de la firma. En conjunto, estos pasos permiten el uso de artefactos actualizados y protegen contra ataques de reversi\u00f3n en caso de que el registro se vea comprometido. Notary Project ofrece varias opciones de validaci\u00f3n de firmas, como \"permisivo\", \"auditor\u00eda\" y \"omitir\" para admitir varios escenarios. Estos escenarios incluyen 1) situaciones que exigen una implementaci\u00f3n urgente de cargas de trabajo, que requieren eludir firmas caducadas o revocadas; 2) auditor\u00eda de artefactos que carecen de firmas sin interrumpir la carga de trabajo; y 3) omitir la verificaci\u00f3n de im\u00e1genes espec\u00edficas que podr\u00edan haber sido validadas a trav\u00e9s de mecanismos alternativos. Adem\u00e1s, Notary Project admite la revocaci\u00f3n para garantizar la frescura de la firma. Los editores de artefactos pueden firmar con certificados de corta duraci\u00f3n y revocar certificados m\u00e1s antiguos cuando sea necesario. Esta revocaci\u00f3n sirve como se\u00f1al para informar a los consumidores de artefactos que el artefacto vigente correspondiente ya no est\u00e1 aprobado por el editor. Esto permite al editor de artefactos controlar la validez de la firma independientemente de su capacidad para administrar artefactos en un registro comprometido."
}
],
"id": "CVE-2024-23332",
"lastModified": "2024-11-21T08:57:31.710",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-19T23:15:07.930",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-672"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-06 19:15
Modified
2024-11-21 08:06
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| notaryproject | notation-go | * | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 | |
| notaryproject | notation-go | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E048A2E7-0021-480A-AD91-F07F8BFDE9CE",
"versionEndExcluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A6851C33-6C20-4B20-B26F-E258C681265E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "99878E6C-4778-4ECE-9E29-D2A1AFB9DB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "0B583E52-5510-42E2-AD05-F574ACCB13E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "C23C91C1-C4D1-47AC-B167-CCFF71A00C5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "EB72FE70-F2E3-4540-A6BE-2EE0DB662365",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."
}
],
"id": "CVE-2023-33958",
"lastModified": "2024-11-21T08:06:17.580",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-06T19:15:12.510",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}