Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05bTN2LXY0cjUtcHB4N84AAzr2
Notation vulnerable to denial of service from high number of artifact signatures
Impact
An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify
.
Patches
The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above.
Workarounds
User should use secure and trusted container registries.
Credits
The notation
project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT) for root cause analysis.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05bTN2LXY0cjUtcHB4N84AAzr2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: about 2 months ago
CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-9m3v-v4r5-ppx7, CVE-2023-33957
References:
- https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7
- https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24
- https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6
- https://nvd.nist.gov/vuln/detail/CVE-2023-33957
- https://github.com/advisories/GHSA-9m3v-v4r5-ppx7
Blast Radius: 4.0
Affected Packages
go:github.com/notaryproject/notation
Dependent packages: 7Dependent repositories: 5
Downloads:
Affected Version Ranges: < 1.0.0-rc.6
Fixed in: 1.0.0-rc.6
All affected versions: 1.0.0-rc.1, 1.0.0-rc.1.dev.20230201, 1.0.0-rc.1.dev.20230205, 1.0.0-rc.1.dev.20230210, 1.0.0-rc.1.dev.20230212, 1.0.0-rc.1.dev.20230216, 1.0.0-rc.2, 1.0.0-rc.2.dev.20230219, 1.0.0-rc.2.dev.20230226, 1.0.0-rc.3, 1.0.0-rc.4, 1.0.0-rc.5
All unaffected versions: 1.0.0, 1.0.1, 1.1.0