CVE-2023-25656

2023-02-2016:15:10

CWE-770

[email protected]

web.nvd.nist.gov

134

notation-go

cve-2023-25656

excessive memory usage

verification

oci artifacts

trust policy

authenticity validation

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

38.0%

JSON

notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains =#. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the authenticity validation is set to enforce.

Affected configurations

Vulners

NVD

Node

notaryprojectnotation-goRange<1.0.0-rc.3

VendorProductVersionCPE
notaryprojectnotation\-go*cpe:2.3:a:notaryproject:notation\-go:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
notaryproject	notation\-go	*	cpe:2.3:a:notaryproject:notation\-go::::::::

CNA Affected

[
  {
    "vendor": "notaryproject",
    "product": "notation-go",
    "versions": [
      {
        "version": "1.0.0-rc.3",
        "status": "affected",
        "lessThan": "1.0.0-rc.3",
        "versionType": "custom"
      }
    ]
  }
]