Notation Go
CVE-2023-25656
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains =#. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the authenticity validation is set to enforce.
AnalysisAI
notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains =#. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the authenticity validation is set to enforce. Affected products include: Notaryproject Notation-Go. Version information: version 1.0.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Set resource limits, implement rate limiting, validate input sizes.
More in Notation Go
View allnotation is a CLI tool to sign and verify OCI artifacts and container images. Rated high severity (CVSS 8.8), this vulne
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing softw
notation is a CLI tool to sign and verify OCI artifacts and container images. Rated medium severity (CVSS 6.5), this vul
notation is a CLI tool to sign and verify OCI artifacts and container images. Rated medium severity (CVSS 5.7), this vul
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Rated low severity (CVSS 3.3), this
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today