Skip to content

x/vulndb: potential Go vuln in github.com/notaryproject/notation: CVE-2023-33958 #1837

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
GoVulnBot opened this issue Jun 6, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/notaryproject/notation: CVE-2023-33958 #1837

GoVulnBot opened this issue Jun 6, 2023 · 1 comment
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2023-33958 references github.com/notaryproject/notation, which may be a Go module.

Description:
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/notaryproject/notation
      packages:
        - package: notation
description: |
    notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
cves:
    - CVE-2023-33958
references:
    - advisory: https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6
    - web: https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6
@tatianab
Copy link
Contributor

tatianab commented Jun 7, 2023

Duplicate of #1831

@tatianab tatianab marked this as a duplicate of #1831 Jun 7, 2023
@tatianab tatianab closed this as completed Jun 7, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot