{"id":"GHSA-45v3-38pc-874v","summary":"notation-go's timestamp signature generation lacks certificate revocation check","details":"This issue was identified during Quarkslab's audit of the timestamp feature.\n\n### Summary\nDuring the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified.\n\n### Details\nDuring timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`.\n\n### Impact\nThis could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations.\n","aliases":["CVE-2024-56138","GO-2025-3381"],"modified":"2026-02-04T03:25:29.658336Z","published":"2025-01-13T16:14:07Z","related":["CGA-fhf8-fh2w-vggp"],"database_specific":{"github_reviewed_at":"2025-01-13T16:14:07Z","github_reviewed":true,"cwe_ids":["CWE-299"],"severity":"MODERATE","nvd_published_at":"2025-01-13T22:15:14Z"},"references":[{"type":"WEB","url":"https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56138"},{"type":"WEB","url":"https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102"},{"type":"WEB","url":"https://github.com/notaryproject/notation-go/commit/e99be1954a15673020150c5f8800b8174cd7428d"},{"type":"PACKAGE","url":"https://github.com/notaryproject/notation-go"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2025-3381"}],"affected":[{"package":{"name":"github.com/notaryproject/notation-go","ecosystem":"Go","purl":"pkg:golang/github.com/notaryproject/notation-go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.2.0-beta.1"},{"fixed":"1.3.0-rc.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-45v3-38pc-874v/GHSA-45v3-38pc-874v.json","last_known_affected_version_range":"\u003c= 1.3.0-rc.1"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}