A Longitudinal Study of Usability in Identity-Based Software Signing

Identity-based software signing tools aim to make software artifact provenance verifiable while reducing the operational burden of long-lived key management. However, there is limited cross-tool longitudinal evidence about which usability problems arise in practice and how those problems evolve a...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via unvalidated URL from Apple notarization log retrieval due to a lack of validation on URLs provided in API responses. An attacker can cause the client to send HTTP or HTTPS requests to arbitrary or...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via an unbounded read of the HTTP response body during notarization. An attacker can exhaust system memory and cause a crash by supplying a maliciously large HTTP response body if the...

Quill has DoS via unbounded read of HTTP response body during notarization

Impact Quill before version v0.7.1 has unbounded reads of HTTP response bodies during the Apple notarization process. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS...

EUVD-2020-21962

Malware in sbrugna...

EUVD-2015-9101

Malware in sbrugna...

EUVD-2024-0257

Malicious code in bioql PyPI...

EUVD-2022-2949

Malicious code in bioql PyPI...

EUVD-2023-47238

Malicious code in bioql PyPI...

Malicious code in notary-client (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d6777fd3be7abdd8775b30e889a1bd66c4bef8af1794600867fc7292a8b9bcd0 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2025-191804 Malicious code in notary-client (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d6777fd3be7abdd8775b30e889a1bd66c4bef8af1794600867fc7292a8b9bcd0 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

CVE-2024-56138

notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificates used to...

CVE-2024-23332

The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...

CVE-2023-42814

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch...

CVE-2023-42815

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerability was in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch...

CVE-2023-42813

Kyverno is a policy engine designed for Kubernetes. A security vulnerability was found in Kyverno where an attacker could cause denial of service of Kyverno. The vulnerable component in Kyvernos Notary verifier. An attacker would need control over the registry from which Kyverno would fetch...

CVE-2020-29601

The official notary docker images before signer-0.6.1-1 contain a blank password for a root user. System using the notary docker container deployed by affected versions of the docker image may allow an remote attacker to achieve root access with a blank password...

GO-2025-3382 notation-go has an OS error when setting CRL cache leads to denial of signature verification in github.com/notaryproject/notation-go

notation-go has an OS error when setting CRL cache leads to denial of signature verification in github.com/notaryproject/notation-go...

GO-2025-3381 notation-go's timestamp signature generation lacks certificate revocation check in github.com/notaryproject/notation-go

notation-go's timestamp signature generation lacks certificate revocation check in github.com/notaryproject/notation-go...

UBUNTU-CVE-2024-51491

notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab's security audit on the Certificate Revocation List CRL based revocation check feature. After retrieving the CRL, notation-go...