CVE-2023-33959
HIGH8.8EPSS 0.15%notation-go's verification bypass can cause users to verify the wrong artifact
描述
### Impact An attacker who controls or compromises a registry can lead a user to verify the wrong artifact. ### Patches The problem has been fixed in the release [v1.0.0-rc.6](https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6). Users should upgrade their notation-go library to [v1.0.0-rc.6](https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6) or above. ### Workarounds User should use secure and trusted container registries. ### Credits The `notation` project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT), Pritesh Bandi (@priteshbandi) for root cause analysis.
受影響套件(2)
- Go/github.com/notaryproject/notation-gofrom 0, < 1.0.0-rc.6
- Go/github.com/notaryproject/notation-gofrom 0, < 1.0.0-rc.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-33959
- PATCHhttps://github.com/notaryproject/notation-go
- WEBhttps://github.com/notaryproject/notation-go/commit/39c8ed050a65cca3f3f308534acb612096735a64
- WEBhttps://github.com/notaryproject/notation-go/commit/eba60f5aed9c9e05dee55324423c95fe34700b4c
- WEBhttps://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6
- WEBhttps://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r