CVE-2023-33957 - OpenCVE

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Notaryproject	Notation-go

Configuration 1 [-]

OR	cpe:2.3:a:notaryproject:notation-go::::::::
	cpe:2.3:a:notaryproject:notation-go:1.0.0:rc1::::::
	cpe:2.3:a:notaryproject:notation-go:1.0.0:rc2::::::
	cpe:2.3:a:notaryproject:notation-go:1.0.0:rc3::::::
	cpe:2.3:a:notaryproject:notation-go:1.0.0:rc4::::::
	cpe:2.3:a:notaryproject:notation-go:1.0.0:rc5::::::

References

Link	Resource
https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24	Patch
https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-06T18:10:30.416Z

Updated: 2023-06-06T18:10:30.416Z

Reserved: 2023-05-24T13:46:35.952Z

Link: CVE-2023-33957

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-06-06T19:15:12.363

Modified: 2024-02-29T21:16:49.777

Link: CVE-2023-33957

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-33957", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-24T13:46:35.952Z", "datePublished": "2023-06-06T18:10:30.416Z", "dateUpdated": "2023-06-06T18:10:30.416Z"}, "containers": {"cna": {"title": "Denial of service from high number of artifact signatures in notation", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7"}, {"name": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24", "tags": ["x_refsource_MISC"], "url": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24"}], "affected": [{"vendor": "notaryproject", "product": "notation", "versions": [{"version": "< 1.0.0-rc.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-06T18:10:30.416Z"}, "descriptions": [{"lang": "en", "value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."}], "source": {"advisory": "GHSA-9m3v-v4r5-ppx7", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:notaryproject:notation-go:*:*:*:*:*:*:*:*", "matchCriteriaId": "E048A2E7-0021-480A-AD91-F07F8BFDE9CE", "versionEndExcluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "A6851C33-6C20-4B20-B26F-E258C681265E", "vulnerable": true}, {"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "99878E6C-4778-4ECE-9E29-D2A1AFB9DB82", "vulnerable": true}, {"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "0B583E52-5510-42E2-AD05-F574ACCB13E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "C23C91C1-C4D1-47AC-B167-CCFF71A00C5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:notaryproject:notation-go:1.0.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "EB72FE70-F2E3-4540-A6BE-2EE0DB662365", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries."}], "id": "CVE-2023-33957", "lastModified": "2024-02-29T21:16:49.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-06-06T19:15:12.363", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}