29 matches found
EUVD-2024-0257
Malicious code in bioql PyPI...
CVE-2024-56138
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificates used to...
CVE-2024-23332
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...
GO-2025-3382 notation-go has an OS error when setting CRL cache leads to denial of signature verification in github.com/notaryproject/notation-go
notation-go has an OS error when setting CRL cache leads to denial of signature verification in github.com/notaryproject/notation-go...
GO-2025-3381 notation-go's timestamp signature generation lacks certificate revocation check in github.com/notaryproject/notation-go
notation-go's timestamp signature generation lacks certificate revocation check in github.com/notaryproject/notation-go...
UBUNTU-CVE-2024-51491
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab's security audit on the Certificate Revocation List CRL based revocation check feature. After retrieving the CRL, notation-go...
notation-go 安全漏洞
notation-go is a collection of libraries that support signing and validating OCI artifacts for notaryproject individual developers. A security vulnerability exists in notation-go version 1.3.0-rc.1, which stems from a failed CRL cache update operation that results in an unexpected program...
CVE-2024-23332
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...
Design/Logic Flaw
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...
CVE-2024-23332
CVE-2024-23332 affects the Notary Project: client configurations using permissive trust policies can enable rollback attacks if a compromised registry serves outdated artifacts. The connected sources describe that artifact publishers can set signature expiry and revoke certificates to keep artifa...
CVE-2024-23332 Client configured with permissive trust policies susceptible to rollback attack in Notary Project
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...
CVE-2024-23332 Client configured with permissive trust policies susceptible to rollback attack in Notary Project
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...
Go package github.com/notaryproject/notation configured with permissive trust policies potentially susceptible to rollback attack from compromised registry
Impact An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies such as permissive instead of strict to potentially use artifacts with signatures that are no...
GHSA-57WX-M636-G3G8 Go package github.com/notaryproject/notation configured with permissive trust policies potentially susceptible to rollback attack from compromised registry
Impact An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies such as permissive instead of strict to potentially use artifacts with signatures that are no...
Notary Project Specifications Security Vulnerabilities
Notary Project Specifications is a repository for the Notary Project. A security vulnerability exists in Notary Project Specifications that stems from the use of artifacts whose signatures are no longer valid...
GO-2023-1589 Denial of service from memory exhaustion in github.com/notaryproject/notation-go
Parsing PKIX distinguished names containing the string "=" can cause excessive memory consumption...
Notation vulnerable to denial of service from high number of artifact signatures
Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...
Notation 数据伪造问题漏洞
Notation is a collection of libraries open-sourced by the Notary Project to support symbolic notation, validation, push and pull oci artifacts. A data forgery issue vulnerability exists in versions prior to Notation v1.0.0-rc.6, which can be exploited by an attacker to corrupt the registry and...
Notation 资源管理错误漏洞
Notation is a collection of libraries open-sourced by the Notary Project to support symbolic notation, validation, push and pull oci artifacts. A resource management error vulnerability exists in versions prior to Notation v1.0.0-rc.6. The vulnerability stems from the fact that if a user runs the...
Fedora: Security Advisory for golang-github-theupdateframework-notary (FEDORA-2022-37aef44d1e)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...