GitHub Advisory DatabaseGHSA-XHG5-42RF-296Rnotation-go's verification bypass can cause users to verify the wrong artifact
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
54.4%
Impact
An attacker who controls or compromises a registry can lead a user to verify the wrong artifact.
Patches
The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above.
Workarounds
User should use secure and trusted container registries.
Credits
The notation project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT), Pritesh Bandi (@priteshbandi) for root cause analysis.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/notaryproject/notation-go | lt | 1.0.0-rc.6 |
References
github.com/advisories/GHSA-xhg5-42rf-296r
github.com/notaryproject/notation-go/commit/39c8ed050a65cca3f3f308534acb612096735a64
github.com/notaryproject/notation-go/commit/eba60f5aed9c9e05dee55324423c95fe34700b4c
github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6
github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r
nvd.nist.gov/vuln/detail/CVE-2023-33959
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
54.4%