Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2023-33959
HistoryJun 06, 2023 - 7:15 p.m.

CVE-2023-33959

2023-06-0619:15:12
CWE-347
[email protected]
web.nvd.nist.gov
2
cli tool
oci artifact
container image
signing
verification
compromise
registry
upgrade
library
security
restriction

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.4%

JSON

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.

Affected configurations

NVD
Node
notaryprojectnotation-goRange<1.0.0
OR
notaryprojectnotation-goMatch1.0.0rc1
OR
notaryprojectnotation-goMatch1.0.0rc2
OR
notaryprojectnotation-goMatch1.0.0rc3
OR
notaryprojectnotation-goMatch1.0.0rc4
OR
notaryprojectnotation-goMatch1.0.0rc5

Related

osv 3
veracode 1
prion 1
cgr 1
cve 1
cvelist 1
github 1
wolfi 1
osv
osv
Verification bypass in github.com/notaryproject/notation-go
2023-06-26 16:53:25
CVE-2023-33959
2023-06-06 19:15:12
notation-go's verification bypass can cause users to verify the wrong artifact
2023-06-06 16:45:29
veracode
veracode
Improper Verification
2023-06-16 04:10:43
prion
prion
Code injection
2023-06-06 19:15:00
cgr
cgr
CVE-2023-33959 vulnerabilities
2024-05-19 03:07:16
cve
cve
CVE-2023-33959
2023-06-06 19:15:12
cvelist
cvelist
CVE-2023-33959 Verification bypass can cause users into verifying the wrong artifact
2023-06-06 18:15:14
github
github
notation-go's verification bypass can cause users to verify the wrong artifact
2023-06-06 16:45:29
wolfi
wolfi
CVE-2023-33959 vulnerabilities
2024-07-03 16:16:08

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.4%

JSON
Related for NVD:CVE-2023-33959
osv3veracode1prion1cgr1cve1cvelist1github1wolfi1