Lucene search
K
NotaryprojectNotation-go

6 matches found

CVE
CVE
added 2023/06/06 6:15 p.m.400 views

CVE-2023-33959

CVE-2023-33959 concerns notation (notaryproject/notation-go) used to sign/verify OCI artifacts. Affected: the notation tool and its verification flow when a registry is compromised can mislead users into verifying a wrong artifact. Root cause described in connected sources as a verification bypas...

8.8CVSS8.4AI score0.00354EPSS
CVE
CVE
added 2023/02/20 12:0 a.m.399 views

CVE-2023-25656

The CVE affects notation-go (notaryproject) prior to 1.0.0-rc.3, where signature verification may cause memory exhaustion leading to process death and availability impact. Root cause is excessive memory use during verification; a patch is available in v1.0.0-rc.3. Remediation: upgrade to v1.0.0-r...

7.5CVSS7.4AI score0.0044EPSS
CVE
CVE
added 2025/01/13 9:42 p.m.151 views

CVE-2024-51491

CVE-2024-51491 affects notation-go (CRL revocation cache). The root cause is CRL cache updates via os.Rename: when source and destination reside on different mount points, the operation can fail with EXDEV, causing a crash of notation and aborting signature verification. Affected component is crl...

3.3CVSS3.9AI score0.00192EPSS
CVE
CVE
added 2023/06/06 6:10 p.m.54 views

CVE-2023-33957

CVE-2023-33957 affects the Notation CLI (github.com/notaryproject/notation) and describes a denial-of-service risk: if a registry is compromised and signs many artifacts, a user running notation inspect/verify can exhaust host resources. The issue is mitigated by upgrading to v1.0.0-rc.6 or newer...

5.7CVSS4.6AI score0.00506EPSS
CVE
CVE
added 2023/06/06 6:13 p.m.50 views

CVE-2023-33958

CVE-2023-33958 affects the notation CLI tool for signing/verifying OCI artifacts. The issue is a default maxSignatureAttempts setting in notation verify that can be abused by an attacker who controls a registry to serve an unlimited number of signatures for an artifact, causing denial of service ...

6.5CVSS5.9AI score0.00485EPSS
CVE
CVE
added 2024/01/19 10:19 p.m.34 views

CVE-2024-23332

CVE-2024-23332 affects the Notary Project: client configurations using permissive trust policies can enable rollback attacks if a compromised registry serves outdated artifacts. The connected sources describe that artifact publishers can set signature expiry and revoke certificates to keep artifa...

6.8CVSS6.6AI score0.00288EPSS