8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
54.4%
An attacker who controls or compromises a registry can lead a user to verify the wrong artifact.
The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above.
User should use secure and trusted container registries.
The notation
project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT), Pritesh Bandi (@priteshbandi) for root cause analysis.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/notaryproject/notation-go | lt | 1.0.0-rc.6 |
github.com/notaryproject/notation-go
github.com/notaryproject/notation-go/commit/39c8ed050a65cca3f3f308534acb612096735a64
github.com/notaryproject/notation-go/commit/eba60f5aed9c9e05dee55324423c95fe34700b4c
github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6
github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r
nvd.nist.gov/vuln/detail/CVE-2023-33959