Vulnerability Description
notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Notaryproject | Notation-Go | 0.7.0 |
Related Weaknesses (CWE)
References
- https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3Release Notes
- https://github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-Vendor Advisory
- https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3Release Notes
- https://github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-Vendor Advisory
FAQ
What is CVE-2023-25656?
CVE-2023-25656 is a vulnerability with a CVSS score of 7.5 (HIGH). notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessi...
How severe is CVE-2023-25656?
CVE-2023-25656 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25656?
Check the references section above for vendor advisories and patch information. Affected products include: Notaryproject Notation-Go.