Vulnerability Details : CVE-2023-25656
notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`.
Products affected by CVE-2023-25656
- cpe:2.3:a:notaryproject:notation-go:0.7.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:notaryproject:notation-go:0.8.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:notaryproject:notation-go:0.9.0:alpha1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-25656
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-25656
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-25656
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2023-25656
-
https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3
Release v1.0.0-rc.3 · notaryproject/notation-go · GitHubRelease Notes
-
https://github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-m28v
Excessive memory allocation on verification · Advisory · notaryproject/notation-go · GitHubVendor Advisory
Jump to