ghsa-45v3-38pc-874v
Vulnerability from github
This issue was identified during Quarkslab's audit of the timestamp feature.
Summary
During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified.
Details
During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by notation.
Impact
This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.3.0-rc.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/notaryproject/notation-go"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0-beta.1"
},
{
"fixed": "1.3.0-rc.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-56138"
],
"database_specific": {
"cwe_ids": [
"CWE-299"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-13T16:14:07Z",
"nvd_published_at": "2025-01-13T22:15:14Z",
"severity": "MODERATE"
},
"details": "This issue was identified during Quarkslab\u0027s audit of the timestamp feature.\n\n### Summary\nDuring the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified.\n\n### Details\nDuring timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`.\n\n### Impact\nThis could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations.\n",
"id": "GHSA-45v3-38pc-874v",
"modified": "2025-01-14T21:05:54Z",
"published": "2025-01-13T16:14:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56138"
},
{
"type": "WEB",
"url": "https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102"
},
{
"type": "WEB",
"url": "https://github.com/notaryproject/notation-go/commit/e99be1954a15673020150c5f8800b8174cd7428d"
},
{
"type": "PACKAGE",
"url": "https://github.com/notaryproject/notation-go"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3381"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "notation-go\u0027s timestamp signature generation lacks certificate revocation check"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.