Notation Go
CVE-2023-33957
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
AnalysisAI
notation is a CLI tool to sign and verify OCI artifacts and container images. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Technical ContextAI
This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries. Affected products include: Notaryproject Notation-Go.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.
More in Notation Go
View allnotation is a CLI tool to sign and verify OCI artifacts and container images. Rated high severity (CVSS 8.8), this vulne
notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Rated hi
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing softw
notation is a CLI tool to sign and verify OCI artifacts and container images. Rated medium severity (CVSS 6.5), this vul
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Rated low severity (CVSS 3.3), this
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today