CVE-2023-33959
HIGH8.8EPSS 0.15%notation-go's verification bypass can cause users to verify the wrong artifact
Description
### Impact An attacker who controls or compromises a registry can lead a user to verify the wrong artifact. ### Patches The problem has been fixed in the release [v1.0.0-rc.6](https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6). Users should upgrade their notation-go library to [v1.0.0-rc.6](https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6) or above. ### Workarounds User should use secure and trusted container registries. ### Credits The `notation` project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT), Pritesh Bandi (@priteshbandi) for root cause analysis.
Affected packages (2)
- Go/github.com/notaryproject/notation-gofrom 0, < 1.0.0-rc.6
- Go/github.com/notaryproject/notation-gofrom 0, < 1.0.0-rc.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-33959
- PATCHhttps://github.com/notaryproject/notation-go
- WEBhttps://github.com/notaryproject/notation-go/commit/39c8ed050a65cca3f3f308534acb612096735a64
- WEBhttps://github.com/notaryproject/notation-go/commit/eba60f5aed9c9e05dee55324423c95fe34700b4c
- WEBhttps://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6
- WEBhttps://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r