7 matches found
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : cosign (SUSE-SU-2023:4870-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2023:4870-1 advisory. Updated to 2.2.1 jscSLE-23879 - Enhancements: CVE-2023-46737: Possible endless data attack from...
GHSA-3HFQ-CX9J-923W Attacker can cause Kyverno user to unintentionally consume insecure image
An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno fetch their images from. The attacker could then return a vulnerable image to the the user and leverage th...
Attacker can cause Kyverno user to unintentionally consume insecure image
An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno fetch their images from. The attacker could then return a vulnerable image to the the user and leverage th...
CVE-2023-46737
A flaw was found in the cosign package. A attacker with control of a compromised registry or with privileges to make requests to the cluster can create a specific request that will trigger an infinite loop condition, resulting in a denial of service. Mitigation Mitigation for this issue is either...
CVE-2023-46737 vulnerabilities
Vulnerabilities for packages: spire-server, melange, falco, tekton-chains, flux-source-controller, ko, aactl, kubescape, policy-controller, slsa-verifier, spire-server-fips, cosign, skaffold, apko, tkn, falcoctl-fips...
CVE-2023-46737 Possible endless data attack from attacker-controlled registry in cosign
Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in...
CVE-2023-46737
CVE-2023-46737 affects Cosign, a sigstore signing tool for OCI containers. The root cause is that Cosign loops through all attestations fetched from a remote registry in pkg/cosign.FetchAttestations, allowing an attacker-controlled registry to return a high number of attestations or signatures an...