{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-23332", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.442Z", "datePublished": "2024-01-19T22:19:37.013Z", "dateUpdated": "2024-01-19T22:19:37.013Z"}, "containers": {"cna": {"title": "Client configured with permissive trust policies susceptible to rollback attack in Notary Project", "problemTypes": [{"descriptions": [{"cweId": "CWE-672", "lang": "en", "description": "CWE-672: Operation on a Resource after Expiration or Release", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8"}, {"name": "https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a", "tags": ["x_refsource_MISC"], "url": "https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a"}], "affected": [{"vendor": "notaryproject", "product": "specifications", "versions": [{"version": "<= 1.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-19T22:19:37.013Z"}, "descriptions": [{"lang": "en", "value": "The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies (such as `permissive` instead of `strict`) to potentially use artifacts with signatures that are no longer valid, making them susceptible to any exploits those artifacts may contain. In Notary Project, an artifact publisher can control the validity period of artifact by specifying signature expiry during the signing process. Using shorter signature validity periods along with processes to periodically resign artifacts, allows artifact producers to ensure that their consumers will only receive up-to-date artifacts. Artifact consumers should correspondingly use a `strict` or equivalent trust policy that enforces signature expiry. Together these steps enable use of up-to-date artifacts and safeguard against rollback attack in the event of registry compromise. The Notary Project offers various signature validation options such as `permissive`, `audit` and `skip` to support various scenarios. These scenarios includes 1) situations demanding urgent workload deployment, necessitating the bypassing of expired or revoked signatures; 2) auditing of artifacts lacking signatures without interrupting workload; and 3) skipping of verification for specific images that might have undergone validation through alternative mechanisms. Additionally, the Notary Project supports revocation to ensure the signature freshness. Artifact publishers can sign with short-lived certificates and revoke older certificates when necessary. This revocation serves as a signal to inform artifact consumers that the corresponding unexpired artifact is no longer approved by the publisher. This enables the artifact publisher to control the validity of the signature independently of their ability to manage artifacts in a compromised registry."}], "source": {"advisory": "GHSA-57wx-m636-g3g8", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:notaryproject:notation-go:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F6147D6-33B0-41A8-B928-2E7FE75BBF0A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies (such as `permissive` instead of `strict`) to potentially use artifacts with signatures that are no longer valid, making them susceptible to any exploits those artifacts may contain. In Notary Project, an artifact publisher can control the validity period of artifact by specifying signature expiry during the signing process. Using shorter signature validity periods along with processes to periodically resign artifacts, allows artifact producers to ensure that their consumers will only receive up-to-date artifacts. Artifact consumers should correspondingly use a `strict` or equivalent trust policy that enforces signature expiry. Together these steps enable use of up-to-date artifacts and safeguard against rollback attack in the event of registry compromise. The Notary Project offers various signature validation options such as `permissive`, `audit` and `skip` to support various scenarios. These scenarios includes 1) situations demanding urgent workload deployment, necessitating the bypassing of expired or revoked signatures; 2) auditing of artifacts lacking signatures without interrupting workload; and 3) skipping of verification for specific images that might have undergone validation through alternative mechanisms. Additionally, the Notary Project supports revocation to ensure the signature freshness. Artifact publishers can sign with short-lived certificates and revoke older certificates when necessary. This revocation serves as a signal to inform artifact consumers that the corresponding unexpired artifact is no longer approved by the publisher. This enables the artifact publisher to control the validity of the signature independently of their ability to manage artifacts in a compromised registry."}, {"lang": "es", "value": "Notary Project es un conjunto de especificaciones y herramientas destinadas a proporcionar un est\u00e1ndar intersectorial para proteger las cadenas de suministro de software mediante el uso de im\u00e1genes de contenedores aut\u00e9nticas y otros artefactos OCI. Un actor externo con control de un registro de contenedor comprometido puede proporcionar versiones obsoletas de artefactos OCI, como im\u00e1genes. Esto podr\u00eda llevar a los consumidores de artefactos con pol\u00edticas de confianza relajadas (como \"permisivas\" en lugar de \"estrictas\") a utilizar potencialmente artefactos con firmas que ya no son v\u00e1lidas, haci\u00e9ndolos susceptibles a cualquier vulnerabilidad que esos artefactos puedan contener. En Notary Project, un editor de artefactos puede controlar el per\u00edodo de validez del artefacto especificando la caducidad de la firma durante el proceso de firma. El uso de per\u00edodos de validez de firma m\u00e1s cortos junto con procesos para renunciar peri\u00f3dicamente a los artefactos permite a los productores de artefactos garantizar que sus consumidores solo recibir\u00e1n artefactos actualizados. En consecuencia, los consumidores de artefactos deber\u00edan utilizar una pol\u00edtica de confianza \"estricta\" o equivalente que imponga la caducidad de la firma. En conjunto, estos pasos permiten el uso de artefactos actualizados y protegen contra ataques de reversi\u00f3n en caso de que el registro se vea comprometido. Notary Project ofrece varias opciones de validaci\u00f3n de firmas, como \"permisivo\", \"auditor\u00eda\" y \"omitir\" para admitir varios escenarios. Estos escenarios incluyen 1) situaciones que exigen una implementaci\u00f3n urgente de cargas de trabajo, que requieren eludir firmas caducadas o revocadas; 2) auditor\u00eda de artefactos que carecen de firmas sin interrumpir la carga de trabajo; y 3) omitir la verificaci\u00f3n de im\u00e1genes espec\u00edficas que podr\u00edan haber sido validadas a trav\u00e9s de mecanismos alternativos. Adem\u00e1s, Notary Project admite la revocaci\u00f3n para garantizar la frescura de la firma. Los editores de artefactos pueden firmar con certificados de corta duraci\u00f3n y revocar certificados m\u00e1s antiguos cuando sea necesario. Esta revocaci\u00f3n sirve como se\u00f1al para informar a los consumidores de artefactos que el artefacto vigente correspondiente ya no est\u00e1 aprobado por el editor. Esto permite al editor de artefactos controlar la validez de la firma independientemente de su capacidad para administrar artefactos en un registro comprometido."}], "id": "CVE-2024-23332", "lastModified": "2024-02-29T21:16:49.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-19T23:15:07.930", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/notaryproject/specifications/commit/cdabdd1042de2999c685fa5d422a785ded9c983a"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/notaryproject/specifications/security/advisories/GHSA-57wx-m636-g3g8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-672"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}