{"id":"GHSA-9m3v-v4r5-ppx7","summary":"Notation vulnerable to denial of service from high number of artifact signatures","details":"### Impact\nAn attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running `notation verify`.\n\n### Patches\nThe problem has been fixed in the release [v1.0.0-rc.6](https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6). Users should upgrade their notation packages to [v1.0.0-rc.6](https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6) or above.\n\n### Workarounds\nUser should use secure and trusted container registries.\n\n### Credits\nThe `notation` project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT) for root cause analysis.","aliases":["CVE-2023-33957","GO-2023-1829"],"modified":"2024-08-20T20:59:06.126002Z","published":"2023-06-06T16:43:01Z","database_specific":{"severity":"MODERATE","nvd_published_at":"2023-06-06T19:15:12Z","cwe_ids":["CWE-400"],"github_reviewed":true,"github_reviewed_at":"2023-06-06T16:43:01Z"},"references":[{"type":"WEB","url":"https://github.com/notaryproject/notation/security/advisories/GHSA-9m3v-v4r5-ppx7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33957"},{"type":"WEB","url":"https://github.com/notaryproject/notation/commit/ed22fde52f6d70ae0b53521bd28c9ccafa868c24"},{"type":"PACKAGE","url":"https://github.com/notaryproject/notation"},{"type":"WEB","url":"https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6"}],"affected":[{"package":{"name":"github.com/notaryproject/notation","ecosystem":"Go","purl":"pkg:golang/github.com/notaryproject/notation"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.0.0-rc.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-9m3v-v4r5-ppx7/GHSA-9m3v-v4r5-ppx7.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"}]}