CVE-2023-33958 : notation is a CLI tool to sign and verify OCI artifacts and container images. An

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.

Published 2023-06-06 19:15:13

Updated 2024-02-29 21:16:50

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2023-33958

Notaryproject » Notation-go
Versions before (<) 1.0.0
cpe:2.3:a:notaryproject:notation-go:*:*:*:*:*:*:*:*
Matching versions
Notaryproject » Notation-go » Version: 1.0.0 Update RC1
cpe:2.3:a:notaryproject:notation-go:1.0.0:rc1:*:*:*:*:*:*
Matching versions
Notaryproject » Notation-go » Version: 1.0.0 Update RC2
cpe:2.3:a:notaryproject:notation-go:1.0.0:rc2:*:*:*:*:*:*
Matching versions
Notaryproject » Notation-go » Version: 1.0.0 Update RC3
cpe:2.3:a:notaryproject:notation-go:1.0.0:rc3:*:*:*:*:*:*
Matching versions
Notaryproject » Notation-go » Version: 1.0.0 Update RC4
cpe:2.3:a:notaryproject:notation-go:1.0.0:rc4:*:*:*:*:*:*
Matching versions
Notaryproject » Notation-go » Version: 1.0.0 Update RC5
cpe:2.3:a:notaryproject:notation-go:1.0.0:rc5:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-33958

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 21 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-33958

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L	2.8	2.5	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: Low Availability: Low

CWE ids for CVE-2023-33958

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-33958

https://github.com/notaryproject/notation/releases/tag/v1.0.0-rc.6

Release v1.0.0-rc.6 · notaryproject/notation · GitHub
Release Notes
https://github.com/notaryproject/notation/security/advisories/GHSA-rvrx-rrwh-r9p6

Default `maxSignatureAttempts` in `notation verify` enables an endless data attack · Advisory · notaryproject/notation · GitHub
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-33958

Products affected by CVE-2023-33958

Exploit prediction scoring system (EPSS) score for CVE-2023-33958

CVSS scores for CVE-2023-33958

CWE ids for CVE-2023-33958

References for CVE-2023-33958