Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1ydnJ4LXJyd2gtcjlwNs4AAzr3

Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack

Impact

An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify.

Patches

The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above.

Workarounds

User should use secure and trusted container registries

Credits

The notation project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT) for root cause analysis.

Permalink: https://github.com/advisories/GHSA-rvrx-rrwh-r9p6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ydnJ4LXJyd2gtcjlwNs4AAzr3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 6 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Identifiers: GHSA-rvrx-rrwh-r9p6, CVE-2023-33958
References:

• https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6
• https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6
• https://nvd.nist.gov/vuln/detail/CVE-2023-33958
• https://github.com/advisories/GHSA-rvrx-rrwh-r9p6

Repository: https://github.com/notaryproject/notation
Blast Radius: 4.5

Affected Packages