Vulnerability Description
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Notaryproject | Notation-Go | < 1.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6Release Notes
- https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9pVendor Advisory
- https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6Release Notes
- https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9pVendor Advisory
FAQ
What is CVE-2023-33958?
CVE-2023-33958 is a vulnerability with a CVSS score of 5.4 (MEDIUM). notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of servic...
How severe is CVE-2023-33958?
CVE-2023-33958 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-33958?
Check the references section above for vendor advisories and patch information. Affected products include: Notaryproject Notation-Go.