CVE-2023-25656

2023-02-2016:15:10

CWE-770

[email protected]

web.nvd.nist.gov

notation-go

excessive memory usage

availability impact

signature verification

patch

trust policy

identity string

trusted certificates

trust stores

authenticity validation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

42.2%

JSON

notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains =#. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the authenticity validation is set to enforce.

Affected configurations

Nvd

Node

notaryprojectnotation-goMatch0.7.0alpha1

notaryprojectnotation-goMatch0.8.0alpha1

notaryprojectnotation-goMatch0.9.0alpha1

VendorProductVersionCPE
notaryprojectnotation-go0.7.0cpe:2.3:a:notaryproject:notation-go:0.7.0:alpha1:*:*:*:*:*:*
notaryprojectnotation-go0.8.0cpe:2.3:a:notaryproject:notation-go:0.8.0:alpha1:*:*:*:*:*:*
notaryprojectnotation-go0.9.0cpe:2.3:a:notaryproject:notation-go:0.9.0:alpha1:*:*:*:*:*:*

Vendor	Product	Version	CPE
notaryproject	notation-go	0.7.0	cpe:2.3:a:notaryproject:notation-go:0.7.0:alpha1::::::
notaryproject	notation-go	0.8.0	cpe:2.3:a:notaryproject:notation-go:0.8.0:alpha1::::::
notaryproject	notation-go	0.9.0	cpe:2.3:a:notaryproject:notation-go:0.9.0:alpha1::::::