CVE-2023-33959 Verification bypass can cause users into verifying the wrong artifact

2023-06-0618:15:14

CWE-347

GitHub_M

www.cve.org

cve-2023-33959; verification bypass; notation cli; oci; artifact verification; registry compromise; container image; upgrade; notation-go library; container registry restrictions; security; trustworthy registry

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.2%

JSON

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.

CNA Affected

[
  {
    "vendor": "notaryproject",
    "product": "notation-go",
    "versions": [
      {
        "version": "< 1.0.0-rc.6",
        "status": "affected"
      }
    ]
  }
]