notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
References
Link | Resource |
---|---|
https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6 | Release Notes |
https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6 | Vendor Advisory |
https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6 | Release Notes |
https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:06
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
References | () https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6 - Release Notes | |
References | () https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6 - Vendor Advisory |
29 Feb 2024, 21:16
Type | Values Removed | Values Added |
---|---|---|
First Time |
Notaryproject notation-go
|
|
CPE | cpe:2.3:a:notaryproject:notation:1.0.0:rc5:*:*:*:go:*:* cpe:2.3:a:notaryproject:notation:1.0.0:rc1:*:*:*:go:*:* cpe:2.3:a:notaryproject:notation:1.0.0:rc2:*:*:*:go:*:* cpe:2.3:a:notaryproject:notation:*:*:*:*:*:go:*:* cpe:2.3:a:notaryproject:notation:1.0.0:rc3:*:*:*:go:*:* |
cpe:2.3:a:notaryproject:notation-go:*:*:*:*:*:*:*:* cpe:2.3:a:notaryproject:notation-go:1.0.0:rc5:*:*:*:*:*:* cpe:2.3:a:notaryproject:notation-go:1.0.0:rc4:*:*:*:*:*:* cpe:2.3:a:notaryproject:notation-go:1.0.0:rc3:*:*:*:*:*:* cpe:2.3:a:notaryproject:notation-go:1.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:notaryproject:notation-go:1.0.0:rc2:*:*:*:*:*:* |
16 Jun 2023, 03:58
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6 - Release Notes | |
References | (MISC) https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6 - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CPE | cpe:2.3:a:notaryproject:notation:1.0.0:rc4:*:*:*:go:*:* cpe:2.3:a:notaryproject:notation:*:*:*:*:*:go:*:* cpe:2.3:a:notaryproject:notation:1.0.0:rc1:*:*:*:go:*:* cpe:2.3:a:notaryproject:notation:1.0.0:rc3:*:*:*:go:*:* cpe:2.3:a:notaryproject:notation:1.0.0:rc5:*:*:*:go:*:* cpe:2.3:a:notaryproject:notation:1.0.0:rc2:*:*:*:go:*:* |
|
First Time |
Notaryproject notation
Notaryproject |
06 Jun 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-06-06 19:15
Updated : 2024-11-21 08:06
NVD link : CVE-2023-33958
Mitre link : CVE-2023-33958
CVE.ORG link : CVE-2023-33958
JSON object : View
Products Affected
notaryproject
- notation-go
CWE
CWE-400
Uncontrolled Resource Consumption