Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-xhg5-42rf-296r: notation-go's verification bypass can cause users to verify the wrong artifact

Impact

An attacker who controls or compromises a registry can lead a user to verify the wrong artifact.

Patches

The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above.

Workarounds

User should use secure and trusted container registries.

Credits

The notation project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT), Pritesh Bandi (@priteshbandi) for root cause analysis.

ghsa
Open in Source
#git

Package

gomod github.com/notaryproject/notation-go (Go)

Affected versions

< 1.0.0-rc.6

Patched versions

1.0.0-rc.6

Description

Impact

An attacker who controls or compromises a registry can lead a user to verify the wrong artifact.

Patches

The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above.

Workarounds

User should use secure and trusted container registries.

Credits

The notation project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT), Pritesh Bandi (@priteshbandi) for root cause analysis.

References

  • GHSA-xhg5-42rf-296r
  • https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6

priteshbandi published to notaryproject/notation-go

Jun 6, 2023

Published to the GitHub Advisory Database

Jun 6, 2023

Reviewed

Jun 6, 2023

Last updated

Jun 6, 2023

Related news

CVE-2023-33959: Verification bypass can cause users to verify the wrong artifact

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation
ghsa