Lucene search

Veracode Vulnerability DatabaseVERACODE:45119

HistoryJan 23, 2024 - 5:43 a.m.

Rollback Attack

2024-01-2305:43:39

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

notaryproject

rollback attack

vulnerable

container registry

outdated artifact

trust policies

security

software

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

github.com/notaryproject/notation is vulnerable to Rollback Attack. The vulnerability is caused when the container registry is compromised, allowing the attacker to provide outdated artifact versions when consumers have relaxed trust policies.

References

github.com/advisories/GHSA-57wx-m636-g3g8

github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a

github.com/notaryproject/specifications/pull/285/commits/4f6c7fbc2a3e89ec23e688048fc178c7c63da3d6

github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

Related for VERACODE:45119