CVE-2023-33959

CVE-2023-33959 concerns notation (notaryproject/notation-go) used to sign/verify OCI artifacts. Affected: the notation tool and its verification flow when a registry is compromised can mislead users into verifying a wrong artifact. Root cause described in connected sources as a verification bypas...

CVE-2023-33958 Default `maxSignatureAttempts` in `notation verify` enables an endless data attack in notation

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The...

CVE-2023-33958

CVE-2023-33958 affects the notation CLI tool for signing/verifying OCI artifacts. The issue is a default maxSignatureAttempts setting in notation verify that can be abused by an attacker who controls a registry to serve an unlimited number of signatures for an artifact, causing denial of service ...

CVE-2023-33958 Default `maxSignatureAttempts` in `notation verify` enables an endless data attack in notation

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The...

CVE-2023-33957

CVE-2023-33957 affects the Notation CLI (github.com/notaryproject/notation) and describes a denial-of-service risk: if a registry is compromised and signs many artifacts, a user running notation inspect/verify can exhaust host resources. The issue is mitigated by upgrading to v1.0.0-rc.6 or newer...

CVE-2023-33957 Denial of service from high number of artifact signatures in notation

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The...

GHSA-RVRX-RRWH-R9P6 Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack

Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...

Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack

Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...

GHSA-9M3V-V4R5-PPX7 Notation vulnerable to denial of service from high number of artifact signatures

Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...

Notation vulnerable to denial of service from high number of artifact signatures

Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...

PT-2023-24597 · Notation · Notation

Name of the Vulnerable Software and Affected Versions: notation versions prior to v1.0.0-rc.6 Description: The issue allows an attacker who has compromised a registry and added a high number of signatures to an artifact to cause denial of service of services on the machine, if a user runs the...

Notation 资源管理错误漏洞

Notation is a collection of libraries open-sourced by the Notary Project to support symbolic notation, verification, push and pull oci artifacts. A resource management error vulnerability exists in versions prior to Notation v1.0.0-rc.6. The vulnerability stems from the fact that if a user runs t...

PT-2023-24598 · Notation · Notation

Name of the Vulnerable Software and Affected Versions: notation versions prior to v1.0.0-rc.6 Description: An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command...

Notation 数据伪造问题漏洞

Notation is a collection of libraries open-sourced by the Notary Project to support symbolic notation, validation, push and pull oci artifacts. A data forgery issue vulnerability exists in versions prior to Notation v1.0.0-rc.6, which can be exploited by an attacker to corrupt the registry and...

Notation 资源管理错误漏洞

Notation is a collection of libraries open-sourced by the Notary Project to support symbolic notation, validation, push and pull oci artifacts. A resource management error vulnerability exists in versions prior to Notation v1.0.0-rc.6. The vulnerability stems from the fact that if a user runs the...

PT-2023-24599 · Unknown · Notation-Go

Name of the Vulnerable Software and Affected Versions: notation versions prior to v1.0.0-rc.6 Description: An attacker who has compromised a registry can cause users to verify the wrong artifact. This issue allows an attacker to lead a user into verifying the wrong artifact if they control or...

Possible DoS translating ASN.1 object identifiers

...

SUSE CVE-2023-2977

A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardoshaveverifyrcpackage. The attacker can supply a smart card package with malformed ASN1 context. The cardoshaveverifyrcpackage function scans the ASN1 buffer for 2 tags, where remaining lengt...

json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘‘ or ‘‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed...

jettison: memory exhaustion via user-supplied XML or JSON data

A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack...