Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
alpinelinuxAlpine Linux Development TeamALPINE:CVE-2024-29903
HistoryApr 10, 2024 - 11:15 p.m.

CVE-2024-29903

2024-04-1023:15:07
Alpine Linux Development Team
security.alpinelinux.org
4
cosign
dos
vulnerability
excess memory allocation
version 2.2.4
patch

CVSS3

4.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

High

JSON

Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates. The exact issue is Cosign allocates excessive memory on the lines that creates a slice of the same length as the manifests. Version 2.2.4 contains a patch for the vulnerability.

OSVersionArchitecturePackageVersionFilename
Alpine3.20-communitynoarchcosign= 2.2.1-r5UNKNOWN

Related

osv 32
github 1
redhatcve 1
nvd 1
cvelist 1
veracode 1
cve 1
cgr 1
vulnrichment 1
wolfi 1
openvas 2
redhat 1
osv
osv
CGA-9965-4f9j-67rf
2024-06-06 12:25:45
CGA-p8hw-fxhx-vvqj
2024-06-06 12:28:42
CGA-5gvm-jvc3-7hxq
2024-06-06 12:24:08
github
github
Cosign malicious artifacts can cause machine-wide DoS
2024-04-11 17:15:46
redhatcve
redhatcve
CVE-2024-29903
2024-04-11 12:52:47
nvd
nvd
CVE-2024-29903
2024-04-10 23:15:07
cvelist
cvelist
CVE-2024-29903 Cosign vulnerable to machine-wide denial of service via malicious artifacts
2024-04-10 22:30:50
veracode
veracode
Denial Of Service (DOS)
2024-04-15 09:02:51
cve
cve
CVE-2024-29903
2024-04-10 23:15:07
cgr
cgr
CVE-2024-29903 vulnerabilities
2024-05-19 03:07:16
vulnrichment
vulnrichment
CVE-2024-29903 Cosign vulnerable to machine-wide denial of service via malicious artifacts
2024-04-10 22:30:50
wolfi
wolfi
CVE-2024-29903 vulnerabilities
2024-09-18 21:11:55
openvas
openvas
openSUSE: Security Advisory for cosign (SUSE-SU-2024:1486-2)
2024-08-20 00:00:00
openSUSE: Security Advisory for cosign (SUSE-SU-2024:1486-1)
2024-08-20 00:00:00
redhat
redhat
(RHSA-2024:4836) Moderate: RHACS 4.5 enhancement and security update
2024-07-24 16:16:52

CVSS3

4.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

High

JSON
Related for ALPINE:CVE-2024-29903
osv32github1redhatcve1nvd1cvelist1veracode1cve1cgr1vulnrichment1wolfi1openvas2redhat1