logo

Database

Insecure digital certificates In github.com/docker/notary

Description

Docker Notary Signature Algorithm Not Matched to Key vulnerability In Docker Notary before 0.1, gotuf/signed/verify.go has a Signature Algorithm Not Matched to Key vulnerability. Because an attacker controls the field specifying the signature algorithm, they might (for example) be able to forge a signature by forcing a misinterpretation of an RSA-PSS key as Ed25519 elliptic-curve data.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2015-92582. NVD-2015-92583. OSV-2015-92584. OSV-DEBIAN-2015-92585. GCVE-2015-92586. SECURITY-TRACKER-CVE-2015-9258

References

1. https://github.com/theupdateframework/notary/blob/master/docs/resources/ncc_docker_notary_audit_2015_07_31.pdf2. https://web.archive.org/web/20160305015752/https://docs.docker.com/notary/changelog

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.