GHSA-9m3v-v4r5-ppx7: Notation vulnerable to denial of service from high number of artifact signatures

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-33957

Notation vulnerable to denial of service from high number of artifact signatures

Low severity GitHub Reviewed Published Jun 6, 2023 in notaryproject/notation • Updated Jun 6, 2023

Package

gomod github.com/notaryproject/notation (Go)

Affected versions

< 1.0.0-rc.6

Patched versions

1.0.0-rc.6

Description

Impact

An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify.

Patches

The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above.

Workarounds

User should use secure and trusted container registries.

Credits

The notation project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT) for root cause analysis.

References

• GHSA-9m3v-v4r5-ppx7
• notaryproject/notation@ed22fde
• https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6

Published to the GitHub Advisory Database

Jun 6, 2023