{"id":"CVE-2023-33957","summary":"Denial of service from high number of artifact signatures in notation","details":"notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.","aliases":["GHSA-9m3v-v4r5-ppx7","GO-2023-1829"],"modified":"2026-04-10T04:58:46.496558Z","published":"2023-06-06T18:10:30.416Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-400"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/33xxx/CVE-2023-33957.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/33xxx/CVE-2023-33957.json"},{"type":"ADVISORY","url":"https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33957"},{"type":"FIX","url":"https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/notaryproject/notation","events":[{"introduced":"0"},{"fixed":"cc3f7aa06b600a689af5274daa7c06fb3e55e69e"}]}],"versions":["v0.10.0-alpha.3","v0.10.0-alpha.3.dev.20220821","v0.10.0-alpha.3.dev.20220828","v0.10.0-alpha.3.dev.20220904","v0.10.0-alpha.3.dev.20220911","v0.10.0-alpha.3.dev.20220918","v0.10.0-alpha.3.dev.20220925","v0.10.0-alpha.3.dev.20220928","v0.10.0-alpha.3.dev.20221002","v0.10.0-alpha.3.dev.20221009","v0.11.0-alpha.4","v0.11.0-alpha.4.dev.20221016","v0.11.0-alpha.4.dev.20221023","v0.11.0-alpha.4.dev.20221030","v0.12.0-beta.1","v0.12.0-beta.1.dev.20221204","v0.7.0-alpha.1","v0.7.1-alpha.1","v0.9.0-alpha.1","v1.0.0-rc.1","v1.0.0-rc.1.dev.20230201","v1.0.0-rc.2","v1.0.0-rc.2.dev.20230226","v1.0.0-rc.3","v1.0.0-rc.4","v1.0.0-rc.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33957.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/notaryproject/notation-go","events":[{"introduced":"0"},{"fixed":"553b866ed4efd3f94cc0f1773cabdab25ff0ef09"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.0.0"}]}}],"versions":["v0.10.0-alpha.3","v0.11.0-alpha.4","v0.12.0-beta.1","v0.7.0-alpha.1","v0.8.0-alpha.1","v0.9.0-alpha.1","v1.0.0-rc.1","v1.0.0-rc.2","v1.0.0-rc.3","v1.0.0-rc.4","v1.0.0-rc.5","v1.0.0-rc.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33957.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:L"}]}