CVE-2023-33959

2023-06-0619:15:12

CWE-347

[email protected]

web.nvd.nist.gov

140

cve-2023-33959

notation

cli tool

oci artifacts

container images

vulnerability

upgrade

security fix

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.3%

JSON

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.

Affected configurations

Vulners

NVD

Node

notaryprojectnotation-goRange<1.0.0-rc.6

VendorProductVersionCPE
notaryprojectnotation\-go*cpe:2.3:a:notaryproject:notation\-go:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
notaryproject	notation\-go	*	cpe:2.3:a:notaryproject:notation\-go::::::::

CNA Affected

[
  {
    "vendor": "notaryproject",
    "product": "notation-go",
    "versions": [
      {
        "version": "< 1.0.0-rc.6",
        "status": "affected"
      }
    ]
  }
]