Headline
GHSA-rvrx-rrwh-r9p6: Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack
Impact
An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify
.
Patches
The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above.
Workarounds
User should use secure and trusted container registries
Credits
The notation
project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT) for root cause analysis.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-33958
Notation’s default `maxSignatureAttempts` in `notation verify` enables an endless data attack
Package
gomod github.com/notaryproject/notation (Go)
Affected versions
< 1.0.0-rc.6
Patched versions
1.0.0-rc.6
Description
Impact
An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify.
Patches
The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above.
Workarounds
User should use secure and trusted container registries
Credits
The notation project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT) for root cause analysis.
References
- GHSA-rvrx-rrwh-r9p6
- https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6
Published to the GitHub Advisory Database
Jun 6, 2023
Related news
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.